diff --git a/rules_building_block/initial_access_execution_from_removable_media.toml b/rules/windows/initial_access_execution_from_removable_media.toml similarity index 90% rename from rules_building_block/initial_access_execution_from_removable_media.toml rename to rules/windows/initial_access_execution_from_removable_media.toml index c24c3e35392..92cea7a388f 100644 --- a/rules_building_block/initial_access_execution_from_removable_media.toml +++ b/rules/windows/initial_access_execution_from_removable_media.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/27" -bypass_bbr_timing = true +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -22,8 +21,7 @@ name = "Execution from a Removable Media with Network Connection" risk_score = 21 rule_id = "1542fa53-955e-4330-8e4d-b2d812adeb5f" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules_building_block/initial_access_execution_remote_via_msiexec.toml b/rules/windows/initial_access_execution_remote_via_msiexec.toml similarity index 95% rename from rules_building_block/initial_access_execution_remote_via_msiexec.toml rename to rules/windows/initial_access_execution_remote_via_msiexec.toml index b923ea62e17..3af7968309f 100644 --- a/rules_building_block/initial_access_execution_remote_via_msiexec.toml +++ b/rules/windows/initial_access_execution_remote_via_msiexec.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/28" -bypass_bbr_timing = true +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -21,8 +20,7 @@ name = "Potential Remote File Execution via MSIEXEC" risk_score = 21 rule_id = "3e441bdb-596c-44fd-8628-2cfdf4516ada" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules_building_block/initial_access_xsl_script_execution_via_com.toml b/rules/windows/initial_access_xsl_script_execution_via_com.toml similarity index 91% rename from rules_building_block/initial_access_xsl_script_execution_via_com.toml rename to rules/windows/initial_access_xsl_script_execution_via_com.toml index f0892a1b1fb..ad3cc9bcbbb 100644 --- a/rules_building_block/initial_access_xsl_script_execution_via_com.toml +++ b/rules/windows/initial_access_xsl_script_execution_via_com.toml @@ -4,8 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/09/27" -bypass_bbr_timing = true +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -21,8 +20,7 @@ name = "Remote XSL Script Execution via COM" risk_score = 21 rule_id = "48f657ee-de4f-477c-aa99-ed88ee7af97a" severity = "low" -tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Rule Type: BBR", "Data Source: Elastic Defend"] -building_block_type = "default" +tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Defense Evasion", "Data Source: Elastic Defend"] type = "eql" query = ''' diff --git a/rules_building_block/lateral_movement_posh_winrm_activity.toml b/rules_building_block/lateral_movement_posh_winrm_activity.toml index 29a91932b83..b702c5868a9 100644 --- a/rules_building_block/lateral_movement_posh_winrm_activity.toml +++ b/rules_building_block/lateral_movement_posh_winrm_activity.toml @@ -4,7 +4,7 @@ integration = ["windows"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/10/19" +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -61,6 +61,10 @@ event.category:process and host.os.type:windows and ?\:\\\\Logicmonitor\\\\tmp* or ?\:\\\\Program?Files\\\\WindowsPowerShell\\\\Modules\\\\dbatools\\\\* or ?\:\\\\ExchangeServer\\\\bin* + ) and not + powershell.file.script_block_text : ( + "Export-ModuleMember -Function @('Invoke-Expression''Invoke-Command')" and + "function Invoke-Command {" ) ''' diff --git a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml index 2217d60ec22..46b164709ef 100644 --- a/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml +++ b/rules_building_block/lateral_movement_rdp_conn_unusual_process.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/08/29" +updated_date = "2024/01/12" [rule] author = ["Elastic"] @@ -30,8 +30,16 @@ type = "eql" query = ''' network where host.os.type == "windows" and event.action == "connection_attempted" and destination.port == 3389 and - not process.executable : "?:\\Windows\\System32\\mstsc.exe" and - destination.ip != "::1" and destination.ip != "127.0.0.1" + destination.ip != "::1" and destination.ip != "127.0.0.1" and + not ( + process.executable : ( + "?:\\Windows\\System32\\mstsc.exe", + "?:\\Program Files (x86)\\mRemoteNG\\mRemoteNG.exe", + "?:\\Program Files (x86)\\PRTG Network Monitor\\PRTG Probe.exe", + "?:\\Program Files\\Azure Advanced Threat Protection Sensor\\*\\Microsoft.Tri.Sensor.exe", + "?:\\Program Files (x86)\\Microsoft\\Remote Desktop Connection Manager\\RDCMan.exe" + ) and process.code_signature.trusted == true + ) '''