09f49da822
[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted ( #1393 )
...
(cherry picked from commit d28c48f20f
2021-09-29 17:09:18 +00:00
ba458dea13
[New Rule] New or Modified Federation Domain ( #1212 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_new-or-modified-federation-domain.toml
* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update .gitignore
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update
* Update persistence_new_or_modified_federation_domain.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit a51ed86851
2021-09-29 12:17:22 +00:00
17845c2bf9
[New Rule] O365 Exchange Suspicious Mailbox Right Delegation ( #1211 )
...
(cherry picked from commit 5ac7fb639c
2021-09-27 21:19:34 +00:00
371247b0b2
[Rule Tuning] Add system index to Windows Event Logs Cleared ( #1502 )
...
(cherry picked from commit 63d6a54804
2021-09-24 17:06:02 +00:00
5b13666054
[Rule Tuning] Update threat mappings for Windows rules ( #1497 )
...
* Windows Rules Att&ck Mapping review
* Bump updated_date and fix reference URLs
* Fix subtechnique
* Fix test errors
(cherry picked from commit 61afb1c1c0
2021-09-23 17:09:43 +00:00
216d06ef30
[New Rule] AWS STS GetSessionToken Abuse ( #1213 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create lateral_movement_sts_getsessiontoken_abuse.toml
* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update .gitignore
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update privilege_escalation_sts_getsessiontoken_abuse.toml
* Update
* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 93b8038d7d
2021-09-22 19:29:04 +00:00
0610e66ec2
[New Rule] Okta User Attempted Unauthorized Access ( #1209 )
...
(cherry picked from commit 3e2cf4f53e
2021-09-22 06:45:27 +00:00
98735808ab
[Rule Tuning] Fix typos in rule metadata ( #1494 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 8e3b1d28c4
2021-09-21 19:32:05 +00:00
c1a0398c3f
Additional Att&ck Mappings for credential access Rules ( #1495 )
...
Updates MITRE Technique IDs for Credential Access DRs
(cherry picked from commit f6421d8c53
2021-09-21 16:05:25 +00:00
2bb9fdb724
Add default timestamp condition for threat_query ( #1486 )
...
(cherry picked from commit 10a977914b
2021-09-20 19:20:58 +00:00
c864538606
[rule-tuning] Adding more context with triage/investigation ( #1481 )
...
* [rule-tuning] Adding more context with triage/investigation
* Adding mimikatz rule
* Fixed updated date on mimikatz rule
* Adding Defender update
* Adding scheduled task
* Adding AdFind
* Adding rare process
* Adding cloudtrail country
* Adding cloudtrail spike
* Adding threat intel
* Fixed minor spelling/syntax
* Fixed minor spelling/syntax p2
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_rare_process_by_host_windows.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Removed MITRE link, added Microsoft
* Update ml_cloudtrail_error_message_spike.toml
* Update ml_cloudtrail_rare_method_by_country.toml
* Update ml_rare_process_by_host_windows.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update discovery_adfind_command_activity.toml
* Update lateral_movement_dns_server_overflow.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9ff3873ee7
2021-09-16 01:08:23 +00:00
31202bf4f6
[Rule tuning] Fix typo in ML rule descriptions ( #1484 )
...
(cherry picked from commit 51a2bc815b
2021-09-14 16:37:55 +00:00
105a1fd023
[New Rule] Behavior Rule for CVE-2021-40444 Exploitation ( #1479 )
...
* [New Rule] Behavior Rule for CVE-2021-40444 Exploitation
* added a ref
* replaced \ with /
* removed unecessary wildcard
(cherry picked from commit 0875c1e4c4
2021-09-08 19:27:16 +00:00
88bfc67638
Adding control.exe ( #1477 )
...
(cherry picked from commit cb27c686e0
2021-09-08 18:31:51 +00:00
2ef59e918f
Revert #1440 new endpoint promotion rule ( #1470 )
...
* Revert #1440 new endpoint promotion rule
* Set the updated_at date
Removed changes from:
- rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml
(selectively cherry picked from commit c9d6527280
2021-09-03 14:08:22 +00:00
2a2bcbd870
[Rule tuning] Fix spacing in reference URLs ( #1455 )
...
(cherry picked from commit 655f7d91d0
2021-09-01 00:00:06 +00:00
20a814c47f
[Rule tuning] Azure Active Directory High Risk Sign-in ( #1463 )
...
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types
(cherry picked from commit 8b2c8c2e03
2021-08-30 22:34:47 +00:00
1f7c404548
Remove the 7.15+ behavior protection promotion rule
2021-08-26 08:51:38 -06:00
34ab6c81d3
[New Rule] Endpoint Security Behavior Protection ( #1440 )
...
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 3b338baab0
2021-08-25 15:58:03 +00:00
689e690f8c
[New rule] Webshell Detection ( #1448 )
...
* [new-rule] Webshell Detection
* Update rules/windows/persistence_webshell_detection.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Added FP note section
* Update rules/windows/persistence_webshell_detection.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 8ddffc298b
2021-08-24 20:19:32 +00:00
cc75f645b6
[Rule Tuning] Add technique T1005 to 2 rules ( #1405 )
...
(cherry picked from commit 8099e1c733
2021-08-20 08:20:32 +00:00
94190321c1
[Rule Tuning] AWS Security Group Configuration Change Detection ( #1426 )
...
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration
(cherry picked from commit 3b29498907
2021-08-15 04:35:07 +00:00
604fd2a18f
Fix typos discovered by codespell ( #1430 )
...
(cherry picked from commit ddec37b731
2021-08-15 04:30:11 +00:00
e170935f1f
[New Rule] AWS EC2 Security Group Configuration Change Detection ( #1144 )
...
(cherry picked from commit 67ba66c8e7
2021-08-12 19:38:05 +00:00
9e6c107de5
[New Rule] Whitespace Padding in Process Command Line ( #1392 )
...
* Create defense_evasion_whitespace_padding_in_command_line.toml
* add newline
* update description
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 14493689b9
2021-08-11 16:16:05 +00:00
121431b40b
Refresh ATT&CK mappings to v9.0 ( #1401 )
...
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
(cherry picked from commit d31ea6253e
2021-08-04 22:17:11 +00:00
742253c61d
[Rule tuning] Revise rule description and other text ( #1398 )
...
(cherry picked from commit f8f643041a
2021-08-03 21:08:48 +00:00
fcd2071ca9
[Rule Tuning] NTDS or SAM Database File Copied ( #1378 )
...
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit d2365783fa
2021-08-03 20:29:19 +00:00
05d01bbfe0
[Rule Tuning] Rule description tweaks ( #1388 )
...
(cherry picked from commit b736d6e748
2021-07-29 18:57:11 +00:00
0ae93632fc
[Rule Tuning] Remove \Program Files*\ style wildcards ( #1369 )
...
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex
(cherry picked from commit 7b62fe296d
2021-07-22 17:56:25 +00:00
8deeab2c4d
[Rule Tuning] Update EQL rules with lookback < maxspan ( #1362 )
...
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit 4aab1278bf
2021-07-22 17:10:08 +00:00
600acca704
[Fleet] Track integrations in folder and metadata ( #1372 )
...
* Track integrations in folder and metadata
* Remove duplicate entry
* Update note and tests
(cherry picked from commit 1882f4456c
2021-07-21 21:25:48 +00:00
6d9997435f
[Rule Tuning] Convert unusual extension rule to regex ( #1368 )
...
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
(cherry picked from commit 9f3d5328f4
2021-07-21 17:50:36 +00:00
fc2f5866a2
[Rule Tuning] Creation of Hidden Files and Directories ( #1357 )
...
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex
(cherry picked from commit 9b559d0cd9
2021-07-21 17:48:37 +00:00
f0270973bb
[Rule Tuning] Update Google Workspace rules to use google_workspace event schema ( #1374 )
...
* use google_workspace event schema
* update to use google_workspace schema
(cherry picked from commit 23626b814c
2021-07-21 17:39:45 +00:00
cb3ceb93da
[New Rule] Windows Defender Exclusions Added via PowerShell ( #1370 )
...
* Added new rule
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Added pwsh.exe to original name
* Added PowerShell MITRE reference
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit fbd4cf2117
2021-07-21 16:55:08 +00:00
07a7784659
Update cardinality field in schema for threshold rules ( #1349 )
...
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array
* Add two new rules to detect agent spoofing
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit 163d9e3864
2021-07-21 16:33:59 +00:00
bc82e214c7
[Rule Tuning] Mimikatz powershell module activity detected ( #1297 )
...
* update query
* add indexes
(cherry picked from commit 95e6458c6e
2021-07-21 07:09:02 +00:00
ce66c684b0
[Rule Tuning] Add Filebeat and Auditbeat to Network Rules ( #1282 )
...
* standardized indices and added the from field
(cherry picked from commit 34df7c6b89
2021-07-21 07:00:25 +00:00
324d46ee74
[New Rule] O365 Excessive SSO Logon Errors ( #1215 )
...
(cherry picked from commit 64c3f7cdc5
2021-07-21 06:55:57 +00:00
55d2780a6e
[New Rule] Disable Windows Event and Security Logs ( #1181 )
...
(cherry picked from commit c82790f588
2021-07-21 06:45:33 +00:00
4d69ad4ae6
[Rule Tuning] Suspicious CertUtil Commands ( #1180 )
...
* update name to Suspicious CertUtil Commands
* update description, query, and filename
(cherry picked from commit 4a11ef9514
2021-07-21 06:27:37 +00:00
8916b7dd4b
[Rule Tuning] External IP Lookup from Non-Browser Process ( #1147 )
...
* Added a couple domains
ipapi.co
ip-lookup.net
ipstack.com
(cherry picked from commit 920d973064
2021-07-21 05:48:34 +00:00
9b9bebbd27
[New Rule] Parent Process PID Spoofing ( #1338 )
...
* [New Rule] Parent Process PID Spoofing
* excluding sihost FPs
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* relinted and added 2 non ecs fields
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 81ab43898c
2021-07-15 20:56:39 +00:00
7ec97e622f
[APM] Adds APM data stream 'traces-apm*' to apm rules ( #105334 ) ( #1335 )
2021-07-13 07:04:58 -06:00
89420ae976
[New Rule] Potential PrintNightmare Exploitation rules ( #1326 )
...
* [New Rule] Potential PrintNightmare Exploitation rules
* added Potential PrintNightmare File Modification
* added spoolsv as process name to narrow more the scope
* added Suspicious Print Spooler File Deletion
* removed Suspicious Print Driver Registry Modification cuz of potential noise
* Update privilege_escalation_printspooler_malicious_registry_modification.toml
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted description and added a comment for sysmon compatibility
* added FP note and relinted all files
* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-07-07 18:56:39 +02:00
9fadc4c1dc
[New Rule] Complementary Rules for Recent REvil TTPs ( #1329 )
...
* [New Rule] Complementary Rules for Recent REvil TTPs
* added OFN
* relinted and added T1574.002
* removed new line
* Update defense_evasion_disabling_windows_defender_powershell.toml
* corrected rule name
* added a reference url
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2021-07-07 17:02:40 +02:00
63a39665e3
Make "config" in note field consistent ( #1310 )
...
* Add test to ensure consistent config in note field
* Update inconsistent rule
2021-07-06 15:54:01 -08:00
c82e89ad34
Add min_stack_version to 7.14+ only rules ( #1321 )
2021-07-06 13:42:09 -06:00
8e451f2318
[New Rule] AWS RDS Security Group Created ( #1260 )
...
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-06-22 16:14:56 -08:00
Austin Songer