sigma-rules

Author	SHA1	Message	Date
Terrance DeJesus	05ac4e1bd3	[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag (#3590 ) * new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag' * updated rule contents * added investigation guide; changed new terms to uder.id * adjusted time window * adjusted rule name * updated query, adjusted new terms value	2024-06-05 10:22:38 -04:00
Terrance DeJesus	c77eb1d915	[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created (#3609 ) * new rule 'AWS IAM Roles Anywhere Role Creation' * adjusted rule to focus on Roles Anywhere profile creation * added rule for roles anywhere trusted anchor; updated rule file naming * added investigation guide * added investigation guide * adjusted rule and file name * Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-06-05 10:10:53 -04:00
Ruben Groenewoud	5f36f3a03e	[Rule Tuning] Shell Configuration Creation or Modification (#3732 ) * [Rule Tuning] Shell Configuration Creation or Modification * Incompatible endgame field * Update rules/linux/persistence_shell_configuration_modification.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-06-05 10:28:13 +02:00
Ruben Groenewoud	e41a57f2ad	[Rule Tuning] Message-of-the-Day (MOTD) (#3730 ) * [Rule Tuning] Message-of-the-Day (MOTD) * Update persistence_message_of_the_day_creation.toml * ++ * Incompatible endgame field * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-06-05 10:18:30 +02:00
Ruben Groenewoud	bebf671881	[Rule Tuning] Systemd Service & Timer (#3728 ) * [Rule Tuning] Systemd Service & Timer * Update * Update persistence_systemd_scheduled_timer_created.toml * Update persistence_systemd_service_creation.toml * ++ * Incompatible endgame field * Update rules/linux/persistence_systemd_service_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-06-05 10:01:15 +02:00
Ruben Groenewoud	81ee6380ec	[New Rule & Tuning] (Ana)Cron & At Job Creation (#3726 ) * [New Rule & Tuning] (Ana)Cron & At Job Creation * Update persistence_at_job_creation.toml * Update persistence_cron_job_creation.toml * ++ * Incompatible endgame field * Update rules/linux/persistence_at_job_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_cron_job_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-06-05 09:53:42 +02:00
shashank-elastic	e357a2c050	Refresh MITRE Attack v15.1.0 (#3725 )	2024-06-04 20:14:58 +05:30
Terrance DeJesus	59b7e3bde4	[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager (#3589 ) * new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager' * updated user identity arn to user.id for cross-service password retrieval * added investigation guides; bumped dates; adjusted threshold value * Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-06-04 09:20:04 -04:00
Ruben Groenewoud	90bb8b53d8	[Rule Tuning] Agent Spoofing (#3729 )	2024-06-03 19:28:24 +02:00
Terrance DeJesus	0885032b2c	[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation (#3632 ) * new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation' * updated rule UUID * added investigation guide * Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-06-03 11:42:38 -04:00
Terrance DeJesus	856c6c5a1f	[New Rule] AWS EC2 EBS Snapshot Shared with Another Account (#3601 ) * new rule 'AWS EC2 EBS Snapshot Shared with Another Account' * added investigation guide * updated rule name * converted to ES\|QL * reverting non-ecs update	2024-06-02 10:30:08 -04:00
Terrance DeJesus	70469b4cdb	[New Rule] AWS Lambda Layer Added to Existing Function (#3631 ) * new rule 'AWS Lambda Layer Added to Existing Function' * updated query logic; added investigation note	2024-06-02 08:41:04 -04:00
Terrance DeJesus	7c82e75cf4	[New Rule] AWS S3 Bucket Policy Added to Share with External Account (#3603 ) * new rule 'AWS S3 Bucket Policy Added to Share with External Account' * added investigation guide * Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml	2024-06-01 10:31:41 -04:00
Isai	23ce41d8af	[New Rule] AWS GetCallerIdentity API Called for the First Time (#3711 ) * [New Rule] AWS GetCallerIdentity API Called for the First Time issue * Apply suggestions from code review name change, false positive additions, remove Setup, change new_terms window from 15d to 10d Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml fixed missing closing quotes --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-31 17:55:06 -04:00
shashank-elastic	418a95205e	Remove unwanted backticks (#3724 )	2024-05-31 21:46:24 +05:30
James Valente	34294fbe6d	Add exceptions to brute force threshold rule. (#3712 ) High volume, machine generated failures or MFA interruptions have been added to the rule. Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-30 10:12:36 +02:00
Gus Carlock	8b28a515c1	Update rule setup instructions for UEBA packages (#3652 ) * update detection-rules instructions for UEBA packages --------- Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com>	2024-05-28 14:21:46 -05:00
Terrance DeJesus	d5c57463e1	[New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance (#3598 ) * new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance' * added investigation guide * changed file name to match tactic * changed reference * updated tags * updated investigation notes * changed new terms value; adjusted rule name	2024-05-28 11:23:17 -04:00
Terrance DeJesus	527f785a60	[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports (#3599 ) * new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports' * updated rule name * changed file name; added false-positive note * changed rule UUID * adjusted file name * updated tags * added investigation guide; updated query logic * Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * updated query and name * updated query optimization --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2024-05-28 10:49:20 -04:00
Ruben Groenewoud	390629da4e	[New Rule & Tunings] Linux Springtail Backdoor (#3692 ) * [New Rules and Tuning] Springtail backdoor * consistency formatting * update * unit testing formatting change * Update persistence_systemd_service_started.toml * Update persistence_systemd_service_started.toml * Update command_and_control_suspicious_network_activity_from_unknown_executable.toml	2024-05-24 10:10:11 +02:00
Samirbous	603f3c313a	Update impact_high_freq_file_renames_by_kernel.toml (#3707 )	2024-05-23 17:59:58 +01:00
shashank-elastic	63e91c2f12	Back-porting Version Trimming (#3704 )	2024-05-23 00:45:10 +05:30
Mika Ayenson	2c3dbfc039	Revert "Back-porting Version Trimming (#3681 )" This reverts commit `71d2c59b5c`.	2024-05-22 13:51:46 -05:00
shashank-elastic	71d2c59b5c	Back-porting Version Trimming (#3681 )	2024-05-23 00:11:50 +05:30
Mika Ayenson	58ba0713fe	[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3700 ) * new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added' * added investigation guide * updated query logic --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-21 16:33:17 -05:00
Mika Ayenson	ed0038ee1d	Revert "[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591 )" This reverts commit `137b74c3aa`.	2024-05-21 15:53:02 -05:00
Terrance DeJesus	137b74c3aa	[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added (#3591 ) * new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added' * added investigation guide * updated query logic	2024-05-20 16:15:46 -04:00
Justin Ibarra	ce21acef9c	[Bug] Fix test_os_and_platform_in_query test and rules (#3695 ) Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2024-05-20 08:43:30 -07:00
Jonhnathan	d023ad66b1	[Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627 ) * [Rule Tuning] Add Initial SentinelOne Compatibility * updated definitions.py; updated tags; fixed unit tests * added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks * updating manifests and integrations * fixing flake errors * min_stack --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-05-20 09:50:57 -03:00
Samirbous	ec27bf8545	Update credential_access_suspicious_web_browser_sensitive_file_access.toml (#3691 )	2024-05-17 21:30:16 -07:00
Samirbous	f0b226c2b0	[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId (#3677 ) * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-15 18:11:49 +01:00
Jonhnathan	0eef7f62ff	[Rule Tuning] Windows Service Installed via an Unusual Client (#3671 ) * [Rule Tuning] Windows Service Installed via an Unusual Client * Update privilege_escalation_windows_service_via_unusual_client.toml * Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-05-15 10:31:44 -03:00
Mika Ayenson	f07a9e6fbc	[FR] Add max_signal note, unit test, and rule tuning (#3669 )	2024-05-14 11:15:12 -05:00
Terrance DeJesus	2375297879	[New Rule] Route53 Resolver Query Log Configuration Deleted (#3592 ) * new rule 'Route53 Resolver Query Log Configuration Deleted' * added investigation guide * adjusted investigation notes * Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-14 10:24:20 -04:00
Samirbous	a1ef8c9fc0	[New] Unusual Execution via Microsoft Common Console File (#3663 ) * [New] Unusual Execution via Microsoft Common Console File https://www.genians.co.kr/blog/threat_intelligence/facebook * Update rules/windows/execution_initial_access_via_msc_file.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules/windows/execution_initial_access_via_msc_file.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/execution_initial_access_via_msc_file.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update execution_initial_access_via_msc_file.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2024-05-14 15:07:26 +01:00
Samirbous	83462a3087	[New] Potential File Download via a Headless Browser (#3660 ) * [New] Potential File Download via a Headless Browser * Update command_and_control_headless_browser.toml * Update command_and_control_headless_browser.toml * Update command_and_control_common_webservices.toml * Update command_and_control_headless_browser.toml * Update command_and_control_headless_browser.toml	2024-05-14 13:55:14 +01:00
Terrance DeJesus	d505b95f3c	[New Rule] AWS EC2 AMI Shared with Another Account (#3600 ) * new rule 'AWS EC2 AMI Shared with Another Account' * linted; updated UUID * added investigation guide * updated description * fixed spelling errors * Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * fixed spacing issue --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-14 01:56:26 -04:00
Terrance DeJesus	38e0f13e23	[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role (#3586 ) * new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance' * updated description and name * added investigation guide; adjusted description * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * updated query logic * fixed spacing issue * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml * Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-05-13 23:07:39 -04:00
Jonhnathan	6150f222b2	[New Rule] Alternate Data Stream Creation at Volume Root Directory (#3517 ) * [New Rule] Alternate Data Stream Creation at Volume Root Directory * Update defense_evasion_root_dir_ads_creation.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-13 08:35:12 -03:00
Colson Wilhoit	1fb58e1b61	[Tuning] MacOS Comprehensive Detection Rule Tuning (#3435 ) * Update to use new data source * Exclude FPs * Update logic * Exclude FPs * Update to match ER logic * Exclude FP * Update to match endpoint rule and reduce FPs * Update logic to reduce FPs * Update logic to reduce FPs * Exclude FPs * Update logic to remove FPs * Update logic to reduce FPs * Update logic and min stack version to reduce FPs * Exclude FP * Remove FPs * Update logic and min stack to reduce FPs * Exclude FPs * Update logic and min stack to exclude FPs * Update logic and min stack to exclude FPs * Update logic to be more efficient * Update logic * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/defense_evasion_modify_environment_launchctl.toml * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml * Update persistence_folder_action_scripts_runtime.toml * Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update rules/macos/execution_installer_package_spawned_network_event.toml * Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml * Update rules/macos/credential_access_credentials_keychains.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_folder_action_scripts_runtime.toml * Fix * Fix * Fix * Update min stack comments * Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml * Update rules/macos/credential_access_systemkey_dumping.toml * Update rules/macos/discovery_users_domain_built_in_commands.toml * Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml * Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml * Update rules/macos/persistence_folder_action_scripts_runtime.toml * Remove field --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-11 12:52:18 -05:00
Jonhnathan	11dca27974	[New Rule] Potential Widespread Malware Infection (#3656 ) * [New Rule] Potential Widespread Malware Infection * Update potential_widespread_malware_infection.toml * . * Update execution_potential_widespread_malware_infection.toml * Update rules/cross-platform/execution_potential_widespread_malware_infection.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/cross-platform/execution_potential_widespread_malware_infection.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2024-05-10 13:51:04 -03:00
Jonhnathan	6cc39a538f	[New Rule] Potential PowerShell HackTool Script by Author (#2472 ) * [New Rule] Potential PowerShell HackTool Script by Author * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-09 18:41:56 -07:00
terrancedejesus	69595a5f69	updated query logic	2024-05-09 18:31:50 -07:00
Jonhnathan	f85d7482fd	[New Rule] Potential PowerShell HackTool Script by Author (#2472 ) * [New Rule] Potential PowerShell HackTool Script by Author * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml * Apply suggestions from code review Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_posh_hacktool_authors.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2024-05-09 13:00:41 -03:00
Samirbous	7a61070e08	[Tuning] Component Object Model Hijacking (#3655 ) * [Tuning] Component Object Model Hijacking * Update rules/windows/persistence_suspicious_com_hijack_registry.toml * Update persistence_suspicious_com_hijack_registry.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2024-05-08 17:44:35 +01:00
Samirbous	4a2e2764cd	[New] Ransomware over SMB (#3638 ) * [New] Ransomware over SMB * Update impact_ransomware_note_file_over_smb.toml * Update impact_ransomware_file_rename_smb.toml * ++ * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_high_freq_file_renames_by_kernel.toml * Update impact_ransomware_file_rename_smb.toml * Update impact_ransomware_note_file_over_smb.toml * Update impact_high_freq_file_renames_by_kernel.toml	2024-05-07 06:38:14 +01:00
Mika Ayenson	4396a91b40	[New Rule] Unusual High Confidence Misconduct Blocks Detected (#3647 )	2024-05-06 07:32:02 -05:00
Mika Ayenson	51268581a8	[Rule Tuning] AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User (#3646 )	2024-05-04 08:20:20 -05:00
Justin Ibarra	613457b97f	[New Rules] AWS Bedrock Guardrails Violations (#3641 ) * [New Rules] AWS Bedrock Guardrails Violations --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2024-05-03 20:55:27 -06:00
Mika Ayenson	2ffb0e7fe2	[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes (#3644 )	2024-05-03 18:01:53 -05:00

1 2 3 4 5 ...

1478 Commits