elastic · shashank-elastic · Sep 13, 2024 · Sep 13, 2024
@@ -996,12 +996,8 @@ and their rule type is `machine_learning`.
 
 |<<microsoft-365-global-administrator-role-assigned, Microsoft 365 Global Administrator Role Assigned>> |In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all subscriptions and their settings and resources. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Identity and Access Audit], [Tactic: Persistence] |None |206
 
-|<<microsoft-365-impossible-travel-activity, Microsoft 365 Impossible travel activity>> |Identifies when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Initial Access] |None |1
-
 |<<microsoft-365-inbox-forwarding-rule-created, Microsoft 365 Inbox Forwarding Rule Created>> |Identifies when a new Inbox forwarding rule is created in Microsoft 365. Inbox rules process messages in the Inbox based on conditions and take actions. In this case, the rules will forward the emails to a defined address. Attackers can abuse Inbox Rules to intercept and exfiltrate email data without making organization-wide configuration changes or having the corresponding privileges. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Collection] |None |206
 
-|<<microsoft-365-mass-download-by-a-single-user, Microsoft 365 Mass download by a single user>> |Identifies when Microsoft Cloud App Security reports that a single user performs more than 50 downloads within 1 minute. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Exfiltration] |None |1
-
 |<<microsoft-365-potential-ransomware-activity, Microsoft 365 Potential ransomware activity>> |Identifies when Microsoft Cloud App Security reports that a user has uploaded files to the cloud that might be infected with ransomware. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Impact] |None |206
 
 |<<microsoft-365-teams-custom-application-interaction-allowed, Microsoft 365 Teams Custom Application Interaction Allowed>> |Identifies when custom applications are allowed in Microsoft Teams. If an organization requires applications other than those available in the Teams app store, custom applications can be developed as packages and uploaded. An adversary may abuse this behavior to establish persistence in an environment. |[Domain: Cloud], [Data Source: Microsoft 365], [Use Case: Configuration Audit], [Tactic: Persistence] |None |207
@@ -1656,8 +1652,6 @@ and their rule type is `machine_learning`.
 
 |<<psexec-network-connection, PsExec Network Connection>> |Identifies use of the SysInternals tool PsExec.exe making a network connection. This could be an indication of lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: Sysmon] |None |109
 
-|<<python-script-execution-via-command-line, Python Script Execution via Command Line>> |Identifies when a Python script is executed using command line input and imports the sys module. Attackers often use this method to execute malicious scripts and avoiding writing it to disk. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [OS: Windows], [Use Case: Threat Detection], [Tactic: Execution], [Data Source: Elastic Defend] |None |1
-
 |<<quarantine-attrib-removed-by-unsigned-or-untrusted-process, Quarantine Attrib Removed by Unsigned or Untrusted Process>> |Detects deletion of the quarantine attribute by an unusual process (xattr). In macOS, when applications or programs are downloaded from the internet, there is a quarantine flag set on the file. This attribute is read by Apple's Gatekeeper defense program at execution time. An adversary may disable this attribute to evade defenses. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |109
 
 |<<query-registry-using-built-in-tools, Query Registry using Built-in Tools>> |This rule identifies the execution of commands that can be used to query the Windows Registry. Adversaries may query the registry to gain situational awareness about the host, like installed security software, programs and settings. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |None |105
@@ -2328,8 +2322,6 @@ and their rule type is `machine_learning`.
 
 |<<wmic-remote-command, WMIC Remote Command>> |Identifies the use of wmic.exe to run commands on remote hosts. While this can be used by administrators legitimately, attackers can abuse this built-in utility to achieve lateral movement. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Lateral Movement], [Data Source: Elastic Defend], [Rule Type: BBR], [Data Source: Sysmon], [Data Source: Elastic Endgame], [Data Source: System] |None |6
 
-|<<wpad-service-exploit, WPAD Service Exploit>> |Identifies probable exploitation of the Web Proxy Auto-Discovery Protocol (WPAD) service. Attackers who have access to the local network or upstream DNS traffic can inject malicious JavaScript to the WPAD service which can lead to a full system compromise. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Privilege Escalation], [Data Source: Elastic Defend] |None |1
-
 |<<writedac-access-on-active-directory-object, WRITEDAC Access on Active Directory Object>> |Identifies the access on an object with WRITEDAC permissions. With the WRITEDAC permission, the user can perform a Write Discretionary Access Control List (WriteDACL) operation, which is used to modify the access control rules associated with a specific object within Active Directory. Attackers may abuse this privilege to grant themselves or other compromised accounts additional rights, ultimately compromising the target object, resulting in privilege escalation, lateral movement, and persistence. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Defense Evasion], [Data Source: Active Directory], [Use Case: Active Directory Monitoring], [Rule Type: BBR], [Data Source: System] |None |5
 
 |<<web-application-suspicious-activity-post-request-declined, Web Application Suspicious Activity: POST Request Declined>> |A POST request to a web application returned a 403 response, which indicates the web application declined to process the request because the action requested was not allowed. |[Data Source: APM] |None |102
@@ -2380,8 +2372,6 @@ and their rule type is `machine_learning`.
 
 |<<windows-system-network-connections-discovery, Windows System Network Connections Discovery>> |This rule identifies the execution of commands that can be used to enumerate network connections. Adversaries may attempt to get a listing of network connections to or from a compromised system to identify targets within an environment. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR], [Data Source: Elastic Defend] |None |4
 
-|<<windows-user-account-creation, Windows User Account Creation>> |Identifies attempts to create a Windows User Account. This is sometimes done by attackers to persist or increase access to a system or domain. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: System] |None |1
-
 |<<wireless-credential-dumping-using-netsh-command, Wireless Credential Dumping using Netsh Command>> |Identifies attempts to dump Wireless saved access keys in clear text using the Windows built-in utility Netsh. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Discovery], [Data Source: Elastic Endgame], [Resources: Investigation Guide], [Data Source: Elastic Defend], [Data Source: System] |None |9
 
 |<<yum-package-manager-plugin-file-creation, Yum Package Manager Plugin File Creation>> |Detects file creation events in the plugin directories for the Yum package manager.  In Linux, Yum (Yellowdog Updater, Modified) is a command-line utility used for handling packages on (by default) Fedora-based systems, providing functions for installing, updating, upgrading, and removing software along with managing package repositories. Attackers can backdoor Yum to gain persistence by injecting malicious code into plugins that Yum runs, thereby ensuring continued unauthorized access or control each time Yum is used for package management. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Defense Evasion], [Data Source: Elastic Defend] |None |2

@@ -489,9 +489,7 @@ include::rule-details/microsoft-365-exchange-safe-link-policy-disabled.asciidoc[
 include::rule-details/microsoft-365-exchange-transport-rule-creation.asciidoc[]
 include::rule-details/microsoft-365-exchange-transport-rule-modification.asciidoc[]
 include::rule-details/microsoft-365-global-administrator-role-assigned.asciidoc[]
-include::rule-details/microsoft-365-impossible-travel-activity.asciidoc[]
 include::rule-details/microsoft-365-inbox-forwarding-rule-created.asciidoc[]
-include::rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc[]
 include::rule-details/microsoft-365-potential-ransomware-activity.asciidoc[]
 include::rule-details/microsoft-365-teams-custom-application-interaction-allowed.asciidoc[]
 include::rule-details/microsoft-365-teams-external-access-enabled.asciidoc[]
@@ -819,7 +817,6 @@ include::rule-details/program-files-directory-masquerading.asciidoc[]
 include::rule-details/prompt-for-credentials-with-osascript.asciidoc[]
 include::rule-details/proxychains-activity.asciidoc[]
 include::rule-details/psexec-network-connection.asciidoc[]
-include::rule-details/python-script-execution-via-command-line.asciidoc[]
 include::rule-details/quarantine-attrib-removed-by-unsigned-or-untrusted-process.asciidoc[]
 include::rule-details/query-registry-using-built-in-tools.asciidoc[]
 include::rule-details/rdp-remote-desktop-protocol-from-the-internet.asciidoc[]
@@ -1155,7 +1152,6 @@ include::rule-details/volume-shadow-copy-deletion-via-wmic.asciidoc[]
 include::rule-details/wmi-incoming-lateral-movement.asciidoc[]
 include::rule-details/wmi-wbemtest-utility-execution.asciidoc[]
 include::rule-details/wmic-remote-command.asciidoc[]
-include::rule-details/wpad-service-exploit.asciidoc[]
 include::rule-details/writedac-access-on-active-directory-object.asciidoc[]
 include::rule-details/web-application-suspicious-activity-post-request-declined.asciidoc[]
 include::rule-details/web-application-suspicious-activity-unauthorized-method.asciidoc[]
@@ -1181,7 +1177,6 @@ include::rule-details/windows-subsystem-for-linux-distribution-installed.asciido
 include::rule-details/windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc[]
 include::rule-details/windows-system-information-discovery.asciidoc[]
 include::rule-details/windows-system-network-connections-discovery.asciidoc[]
-include::rule-details/windows-user-account-creation.asciidoc[]
 include::rule-details/wireless-credential-dumping-using-netsh-command.asciidoc[]
 include::rule-details/yum-package-manager-plugin-file-creation.asciidoc[]
 include::rule-details/yum-dnf-plugin-status-discovery.asciidoc[]