diff --git a/rules/windows/collection_email_outlook_mailbox_via_com.toml b/rules/windows/collection_email_outlook_mailbox_via_com.toml index df0f8d37a40..bdff598faa5 100644 --- a/rules/windows/collection_email_outlook_mailbox_via_com.toml +++ b/rules/windows/collection_email_outlook_mailbox_via_com.toml @@ -2,7 +2,7 @@ creation_date = "2023/01/11" integration = ["endpoint"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Detects Inter-Process Communication with Outlook via Component Object Model from target user email to collect sensitive information or send email on their behalf via API. """ from = "now-9m" -index = ["logs-endpoint.events.process*"] +index = ["logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Suspicious Inter-Process Communication via Outlook" diff --git a/rules/windows/credential_access_dollar_account_relay.toml b/rules/windows/credential_access_dollar_account_relay.toml index 5c679ab5b38..ba033de134b 100644 --- a/rules/windows/credential_access_dollar_account_relay.toml +++ b/rules/windows/credential_access_dollar_account_relay.toml @@ -2,7 +2,7 @@ creation_date = "2024/07/24" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/14" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ domain controller computer account coming from other hosts to the DC that owns t hash after capturing it using forced authentication. """ from = "now-9m" -index = ["logs-system.security-*", "logs-windows.forwarded*", "winlogbeat-*"] +index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"] language = "eql" license = "Elastic License v2" name = "Potential Relay Attack against a Domain Controller" diff --git a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml index 1514506b2c4..4238e58285e 100644 --- a/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml +++ b/rules/windows/credential_access_imageload_azureadconnectauthsvc.toml @@ -2,7 +2,7 @@ creation_date = "2024/10/14" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/14" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies the load of a DLL without a valid code signature by the Azure AD Sync to persist or collect sensitive credentials passing through the Azure AD synchronization server. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*"] +index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*"] language = "eql" license = "Elastic License v2" name = "Untrusted DLL Loaded by Azure AD Sync Service" diff --git a/rules/windows/credential_access_regback_sam_security_hives.toml b/rules/windows/credential_access_regback_sam_security_hives.toml index c073172740a..45500f46a21 100644 --- a/rules/windows/credential_access_regback_sam_security_hives.toml +++ b/rules/windows/credential_access_regback_sam_security_hives.toml @@ -2,13 +2,13 @@ creation_date = "2024/07/01" integration = ["endpoint"] maturity = "production" -updated_date = "2024/08/01" +updated_date = "2025/02/14" [rule] author = ["Elastic"] description = "Identifies attempts to access sensitive registry hives which contain credentials from the registry backup folder." from = "now-9m" -index = ["logs-endpoint.events.file*"] +index = ["logs-endpoint.events.file-*"] language = "eql" license = "Elastic License v2" name = "Sensitive Registry Hive Access via RegBack" diff --git a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml index 2906a90584e..97b93892d90 100644 --- a/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml +++ b/rules/windows/defense_evasion_audit_policy_disabled_winlog.toml @@ -2,7 +2,7 @@ creation_date = "2025/01/14" integration = ["windows", "system"] maturity = "production" -updated_date = "2025/01/22" +updated_date = "2025/02/14" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -16,7 +16,7 @@ from = "now-9m" index = [ "winlogbeat-*", "logs-windows.forwarded*", - "logs-system.security-*" + "logs-system.security*" ] language = "kuery" license = "Elastic License v2" diff --git a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml index adb57363689..4c92ba1613d 100644 --- a/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml +++ b/rules/windows/defense_evasion_lolbas_win_cdb_utility.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -19,7 +19,7 @@ index = [ "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", - "logs-system.security-*", + "logs-system.security*", "logs-crowdstrike.fdr*" ] language = "eql" diff --git a/rules/windows/defense_evasion_windows_filtering_platform.toml b/rules/windows/defense_evasion_windows_filtering_platform.toml index 4a218a8d8d6..5e393578ddd 100644 --- a/rules/windows/defense_evasion_windows_filtering_platform.toml +++ b/rules/windows/defense_evasion_windows_filtering_platform.toml @@ -2,7 +2,7 @@ creation_date = "2023/12/15" integration = ["system", "windows"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/14" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -13,7 +13,7 @@ Identifies multiple Windows Filtering Platform block events and where the proces security software. Adversaries may add malicious WFP rules to prevent Endpoint security from sending telemetry. """ from = "now-9m" -index = ["winlogbeat-*", "logs-windows.network-*", "logs-system.security*"] +index = ["winlogbeat-*", "logs-windows.forwarded*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Evasion via Windows Filtering Platform" diff --git a/rules/windows/execution_mofcomp.toml b/rules/windows/execution_mofcomp.toml index 20b9b7e993a..04a2841944c 100644 --- a/rules/windows/execution_mofcomp.toml +++ b/rules/windows/execution_mofcomp.toml @@ -2,7 +2,7 @@ creation_date = "2023/08/23" integration = ["endpoint", "m365_defender", "system", "crowdstrike"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -12,7 +12,7 @@ files to build their own namespaces and classes into the Windows Management Inst establish persistence using WMI Event Subscription. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security-*", "logs-crowdstrike.fdr*"] +index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "endgame-*", "logs-system.security*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Mofcomp Activity" diff --git a/rules/windows/execution_windows_script_from_internet.toml b/rules/windows/execution_windows_script_from_internet.toml index c08aa900625..828b9b149c2 100644 --- a/rules/windows/execution_windows_script_from_internet.toml +++ b/rules/windows/execution_windows_script_from_internet.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "Mark of The Web enrichment was added to Elastic Defend file events in 8.15.0." min_stack_version = "8.15.0" -updated_date = "2025/02/07" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -13,7 +13,7 @@ Identifies the creation of a Windows script downloaded from the internet followe Adversaries may use Windows script files for initial access and execution. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*", "logs-endpoint.events.process-*"] language = "eql" license = "Elastic License v2" name = "Execution of a Downloaded Windows Script" diff --git a/rules/windows/impact_ransomware_file_rename_smb.toml b/rules/windows/impact_ransomware_file_rename_smb.toml index 6feb0cda8bf..7f585c29ae5 100644 --- a/rules/windows/impact_ransomware_file_rename_smb.toml +++ b/rules/windows/impact_ransomware_file_rename_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/20" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies an incoming SMB connection followed by a suspicious file rename opera ransomware attack via the SMB protocol. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Suspicious File Renamed via SMB" diff --git a/rules/windows/impact_ransomware_note_file_over_smb.toml b/rules/windows/impact_ransomware_note_file_over_smb.toml index 1f391dad49c..392a87fdba2 100644 --- a/rules/windows/impact_ransomware_note_file_over_smb.toml +++ b/rules/windows/impact_ransomware_note_file_over_smb.toml @@ -2,7 +2,7 @@ creation_date = "2024/05/02" integration = ["endpoint"] maturity = "production" -updated_date = "2024/06/20" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -11,7 +11,7 @@ Identifies an incoming SMB connection followed by the creation of a file with a This may indicate a remote ransomware attack via the SMB protocol. """ from = "now-9m" -index = ["logs-endpoint.events.*"] +index = ["logs-endpoint.events.file-*", "logs-endpoint.events.network-*"] language = "eql" license = "Elastic License v2" name = "Potential Ransomware Note File Dropped via SMB" diff --git a/rules/windows/lateral_movement_via_wsus_update.toml b/rules/windows/lateral_movement_via_wsus_update.toml index 97d363b1bb5..5ee82d8b543 100644 --- a/rules/windows/lateral_movement_via_wsus_update.toml +++ b/rules/windows/lateral_movement_via_wsus_update.toml @@ -4,7 +4,7 @@ integration = ["endpoint", "windows", "system","sentinel_one_cloud_funnel", "m36 maturity = "production" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." min_stack_version = "8.14.0" -updated_date = "2025/01/15" +updated_date = "2025/02/14" [rule] author = ["Elastic"] @@ -14,7 +14,7 @@ WSUS is limited to executing Microsoft signed binaries, which limits the executa by Microsoft. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security-*", "winlogbeat-*", "logs-crowdstrike.fdr*"] +index = ["logs-endpoint.events.process-*", "logs-windows.sysmon_operational-*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-system.security*", "winlogbeat-*", "logs-crowdstrike.fdr*"] language = "eql" license = "Elastic License v2" name = "Potential WSUS Abuse for Lateral Movement" diff --git a/rules/windows/privilege_escalation_persistence_phantom_dll.toml b/rules/windows/privilege_escalation_persistence_phantom_dll.toml index 24f8d22772d..6ae392c415a 100644 --- a/rules/windows/privilege_escalation_persistence_phantom_dll.toml +++ b/rules/windows/privilege_escalation_persistence_phantom_dll.toml @@ -2,7 +2,7 @@ creation_date = "2020/01/07" integration = ["endpoint", "windows"] maturity = "production" -updated_date = "2024/10/15" +updated_date = "2025/02/14" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ that can be loaded from a different location by a native Windows process. This m privileges via privileged file write vulnerabilities. """ from = "now-9m" -index = ["winlogbeat-*", "logs-endpoint.events.library*", "logs-windows.sysmon_operational-*", "endgame-*"] +index = ["winlogbeat-*", "logs-endpoint.events.library-*", "logs-windows.sysmon_operational-*", "endgame-*"] language = "eql" license = "Elastic License v2" name = "Suspicious DLL Loaded for Persistence or Privilege Escalation" diff --git a/rules/windows/privilege_escalation_unquoted_service_path.toml b/rules/windows/privilege_escalation_unquoted_service_path.toml index 3b1f94308a9..2a522c081e2 100644 --- a/rules/windows/privilege_escalation_unquoted_service_path.toml +++ b/rules/windows/privilege_escalation_unquoted_service_path.toml @@ -2,7 +2,7 @@ creation_date = "2023/07/13" integration = ["endpoint", "m365_defender", "sentinel_one_cloud_funnel", "windows", "system"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/14" min_stack_version = "8.14.0" min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration." @@ -14,7 +14,7 @@ higher-level directory within the path of an unquoted service executable, Window from its defined path variable instead of the benign one in a deeper directory, thus leading to code execution. """ from = "now-9m" -index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-system.security-*"] +index = ["logs-endpoint.events.process-*", "logs-m365_defender.event-*", "logs-sentinel_one_cloud_funnel.*", "endgame-*", "logs-windows.sysmon_operational-*", "logs-system.security*"] language = "eql" license = "Elastic License v2" name = "Potential Exploitation of an Unquoted Service Path Vulnerability"