elastic · brokensound77 · Aug 21, 2020 · Aug 21, 2020
diff --git a/rules/linux/credential_access_tcpdump_activity.toml b/rules/linux/credential_access_tcpdump_activity.toml
@@ -17,6 +17,7 @@ false_positives = [
     troubleshooting.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml b/rules/linux/defense_evasion_attempt_to_disable_iptables_or_firewall.toml
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to
 receive or send network traffic.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -43,3 +44,4 @@ reference = "https://attack.mitre.org/techniques/T1089/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
diff --git a/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml b/rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to disable the syslog service in an attempt to an attempt to disrupt event logging and evade
 detection by security controls.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
@@ -13,6 +13,7 @@ false_positives = [
     filtered by the process executable or username values.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_base64_encoding_or_decoding_activity.toml
@@ -13,6 +13,7 @@ false_positives = [
     filtered by the process executable or username values.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml b/rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
@@ -10,6 +10,7 @@ description = """
 Adversaries may attempt to clear the bash command line history in an attempt to evade detection or forensic
 investigations.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"

diff --git a/rules/linux/defense_evasion_disable_selinux_attempt.toml b/rules/linux/defense_evasion_disable_selinux_attempt.toml
@@ -11,6 +11,7 @@ Identifies potential attempts to disable Security-Enhanced Linux (SELinux), whic
 support access control policies. Adversaries may disable security tools to avoid possible detection of their tools and
 activities.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/defense_evasion_file_deletion_via_shred.toml b/rules/linux/defense_evasion_file_deletion_via_shred.toml
@@ -11,6 +11,7 @@ Malware or other files dropped or created on a system by an adversary may leave
 a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or
 remove them at the end as part of the post-intrusion cleanup process.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/defense_evasion_file_mod_writable_dir.toml b/rules/linux/defense_evasion_file_mod_writable_dir.toml
@@ -16,6 +16,7 @@ false_positives = [
     by username.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml b/rules/linux/defense_evasion_hex_encoding_or_decoding_activity.toml
@@ -13,6 +13,7 @@ false_positives = [
     filtered by the process executable or username values.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -52,3 +53,4 @@ reference = "https://attack.mitre.org/techniques/T1027/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+
diff --git a/rules/linux/defense_evasion_hidden_file_dir_tmp.toml b/rules/linux/defense_evasion_hidden_file_dir_tmp.toml
@@ -17,6 +17,7 @@ false_positives = [
     behavior. These events can be filtered by the process arguments, username, or process name values.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"
@@ -60,3 +61,4 @@ reference = "https://attack.mitre.org/techniques/T1158/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
diff --git a/rules/linux/defense_evasion_kernel_module_removal.toml b/rules/linux/defense_evasion_kernel_module_removal.toml
@@ -17,6 +17,7 @@ false_positives = [
     Note that some Linux distributions are not built to support the removal of modules at all.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -58,3 +59,4 @@ reference = "https://attack.mitre.org/techniques/T1215/"
 id = "TA0003"
 name = "Persistence"
 reference = "https://attack.mitre.org/tactics/TA0003/"
+
diff --git a/rules/linux/discovery_kernel_module_enumeration.toml b/rules/linux/discovery_kernel_module_enumeration.toml
@@ -17,6 +17,7 @@ false_positives = [
     by ordinary users is uncommon. These can be exempted by process name or username.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/discovery_virtual_machine_fingerprinting.toml b/rules/linux/discovery_virtual_machine_fingerprinting.toml
@@ -17,6 +17,7 @@ false_positives = [
     process arguments to eliminate potential noise.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -50,3 +51,4 @@ reference = "https://attack.mitre.org/techniques/T1082/"
 id = "TA0007"
 name = "Discovery"
 reference = "https://attack.mitre.org/tactics/TA0007/"
+
diff --git a/rules/linux/discovery_whoami_commmand.toml b/rules/linux/discovery_whoami_commmand.toml
@@ -16,6 +16,7 @@ false_positives = [
     automation tools and frameworks.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/execution_perl_tty_shell.toml b/rules/linux/execution_perl_tty_shell.toml
@@ -10,6 +10,7 @@ description = """
 Identifies when a terminal (tty) is spawned via Perl. Attackers may upgrade a simple reverse shell to a fully
 interactive tty after obtaining initial access to a host.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/execution_python_tty_shell.toml b/rules/linux/execution_python_tty_shell.toml
@@ -10,6 +10,7 @@ description = """
 Identifies when a terminal (tty) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully
 interactive tty after obtaining initial access to a host.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/lateral_movement_telnet_network_activity_external.toml b/rules/linux/lateral_movement_telnet_network_activity_external.toml
@@ -18,6 +18,7 @@ false_positives = [
     suspicious.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/lateral_movement_telnet_network_activity_internal.toml b/rules/linux/lateral_movement_telnet_network_activity_internal.toml
@@ -18,6 +18,7 @@ false_positives = [
     suspicious.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_hping_activity.toml b/rules/linux/linux_hping_activity.toml
@@ -16,6 +16,7 @@ false_positives = [
     uncommon.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_iodine_activity.toml b/rules/linux/linux_iodine_activity.toml
@@ -16,6 +16,7 @@ false_positives = [
     uncommon.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_mknod_activity.toml b/rules/linux/linux_mknod_activity.toml
@@ -16,6 +16,7 @@ false_positives = [
     scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_netcat_network_connection.toml b/rules/linux/linux_netcat_network_connection.toml
@@ -18,6 +18,7 @@ false_positives = [
     originate from scripts, automation tools, and frameworks.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_nmap_activity.toml b/rules/linux/linux_nmap_activity.toml
@@ -18,6 +18,7 @@ false_positives = [
     uncommon.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_nping_activity.toml b/rules/linux/linux_nping_activity.toml
@@ -16,6 +16,7 @@ false_positives = [
     is usually not routine or unannounced. Use of `Nping` by non-engineers or ordinary users is uncommon.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_process_started_in_temp_directory.toml b/rules/linux/linux_process_started_in_temp_directory.toml
@@ -13,6 +13,7 @@ false_positives = [
     username.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_socat_activity.toml b/rules/linux/linux_socat_activity.toml
@@ -17,6 +17,7 @@ false_positives = [
     more likely to be suspicious.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/linux_strace_activity.toml b/rules/linux/linux_strace_activity.toml
@@ -16,6 +16,7 @@ false_positives = [
     originate from developers or SREs engaged in debugging or system call tracing.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/persistence_kernel_module_activity.toml b/rules/linux/persistence_kernel_module_activity.toml
@@ -13,6 +13,7 @@ false_positives = [
     programs by ordinary users is uncommon.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/persistence_shell_activity_by_web_server.toml b/rules/linux/persistence_shell_activity_by_web_server.toml
@@ -13,6 +13,7 @@ false_positives = [
     behavior.
     """,
 ]
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
@@ -12,6 +12,7 @@ group. An adversary can take advantage of this to either do a shell escape or ex
 with the setgid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
 on their own malware to make sure they're able to execute in elevated contexts in the future.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"

diff --git a/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml b/rules/linux/privilege_escalation_setuid_bit_set_via_chmod.toml
@@ -12,6 +12,7 @@ user. An adversary can take advantage of this to either do a shell escape or exp
 with the setuid bit to get code running in a different user’s context. Additionally, adversaries can use this mechanism
 on their own malware to make sure they're able to execute in elevated contexts in the future.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "lucene"
 license = "Elastic License"

diff --git a/rules/linux/privilege_escalation_sudoers_file_mod.toml b/rules/linux/privilege_escalation_sudoers_file_mod.toml
@@ -10,6 +10,7 @@ description = """
 A sudoers file specifies the commands that users or groups can run and from which terminals. Adversaries can take
 advantage of these configurations to execute commands as other users or spawn processes with higher privileges.
 """
+from = "now-9m"
 index = ["auditbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/command_and_control_certutil_network_connection.toml b/rules/windows/command_and_control_certutil_network_connection.toml
@@ -10,6 +10,7 @@ description = """
 Identifies certutil.exe making a network connection. Adversaries could abuse certutil.exe to download a certificate, or
 malware, from a remote URL.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/credential_access_credential_dumping_msbuild.toml b/rules/windows/credential_access_credential_dumping_msbuild.toml
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, loaded DLLs (dynamically lin
 credential management. This technique is sometimes used for credential dumping.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml b/rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
@@ -7,6 +7,7 @@ updated_date = "2020/08/03"
 [rule]
 author = ["Elastic"]
 description = "Adversaries can add the 'hidden' attribute to files to hide them from the user in an attempt to evade detection."
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_clearing_windows_event_logs.toml b/rules/windows/defense_evasion_clearing_windows_event_logs.toml
@@ -10,6 +10,7 @@ description = """
 Identifies attempts to clear Windows event log stores. This is often done by attackers in an attempt to evade detection
 or destroy forensic evidence on a system.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml b/rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
@@ -10,6 +10,7 @@ description = """
 Identifies use of the fsutil.exe to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence
 of files created during post-exploitation activities.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml b/rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
@@ -10,6 +10,7 @@ description = """
 Identifies use of the wbadmin.exe to delete the backup catalog. Ransomware and other malware may do this to prevent
 system recovery.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml b/rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
@@ -10,6 +10,7 @@ description = """
 Identifies use of the netsh.exe to disable or weaken the local firewall. Attackers will use this command line tool to
 disable the firewall during troubleshooting or to enable network mobility.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml b/rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
@@ -11,6 +11,7 @@ Identifies the use of certutil.exe to encode or decode data. CertUtil is a nativ
 Certificate Services. CertUtil is often abused by attackers to encode or decode base64 data for stealthier command and
 control or exfiltration.
 """
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
@@ -16,6 +16,7 @@ false_positives = [
     this program to be started by an Office application like Word or Excel.
     """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by a script or t
 behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started by Explorer or t
 Instrumentation) subsystem. This behavior is unusual and is sometimes used by malicious payloads.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml b/rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
@@ -11,6 +11,7 @@ An instance of MSBuild, the Microsoft Build Engine, was started after being rena
 indicate an attempt to run unnoticed or undetected.
 """
 false_positives = ["The Build Engine is commonly used by Windows developers but use by non-engineers is unusual."]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"

diff --git a/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml b/rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
@@ -16,6 +16,7 @@ false_positives = [
     triggers this rule it can be exempted by process, user or host name.
     """,
 ]
+from = "now-9m"
 index = ["winlogbeat-*", "logs-endpoint.events.*"]
 language = "kuery"
 license = "Elastic License"
@@ -45,3 +46,4 @@ reference = "https://attack.mitre.org/techniques/T1500/"
 id = "TA0005"
 name = "Defense Evasion"
 reference = "https://attack.mitre.org/tactics/TA0005/"
+