* Build out the dataclasses for a base entry and version lock explicitly
* Ensure previous field does not have a nested previous
* Test validation on version lock for previous fields.
* [New rule] Remote Computer Account DnsHostName Update
Identifies remote update to a computer account DnsHostName attribute, if the new value is set a valid domain controller DNS hostname and the subject computer name is not a domain controller then it's high likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges :
* added MS ref url
* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* new rule to check for executables launched from shared memory directory
* added references and false positive instances
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* adjusted process to account for var run and lock directories
* TOML lint and query formatting
* TOML lint and query formatting
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* added BPFDoor tag to be threat specific
* TOML linting and adjusted risk because of root requirement
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New Rule] Potential Local NTLM Relay via HTTP
Detect attempt to elevate privileges via coercing a privileged service to connect to a local rogue HTTP endpoint, leading to NTLM relay, example of logs while testing https://github.com/med0x2e/NTLMRelay2Self (step 5):
* Update credential_access_relay_ntlm_auth_via_http_spoolss.toml
* Update credential_access_relay_ntlm_auth_via_http_spoolss.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* Move etc directory under detection_rules
* Prepend original `etc` path with `detection_rules`
* Update docstrings in util and CODEOWNERS
* Add resiliency to tags to account for the old directory structure
* Bug fix: remove unused param caused by commit 6ed1a39efe
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* adjusted query to exclude OneDrive process name and MS Teams DLL reference in registry data strings
* adjusted formatting for altered query
* removed unecessary string used for reference
* removed unecessary parenthesis from new filters in query
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* added FileSyncConfig.exe for OneDrive, added regsvr32 to Teams DLL filter
* added investigation notes
* removed comment from original rule creation
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* add RDS instance deletion to aws rule
I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection.
* Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update persistence_ec2_security_group_configuration_change_detection
Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'.
* update to improve rule coverage
I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters.
* Revert "update to improve rule coverage"
This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
Justin Ibarra