security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,614 Commits 1 Branch 0 Tags
0c3b251208ed9b955e2a8eee38b7d48aec002367
Commit Graph

1185 Commits

Author SHA1 Message Date
Jonhnathan 0c3b251208 [Rule Tuning] PowerShell Keylogging Script (#3023) 2023-08-22 07:45:00 -03:00
Samirbous 5e801b2edf [Tuning] Improve Performance (#2953) 
* [Tuning] Improve Performance

Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.

Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)

* Update privilege_escalation_suspicious_dnshostname_update.toml

* ++

* ++

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-21 16:23:34 +01:00
Steve Ross 4f33a40f48 [Bug] Duplicate tag on Okta rule (#3020) 
* Fix double tag on rule

* fixed all rules; added unit test

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-08-21 10:42:47 -04:00
Jonhnathan 72f15dda6a [New Rule] PowerShell Kerberos Ticket Dump (#2967) 
* [New Rule] PowerShell Kerberos Ticket Dump

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-20 17:29:16 -03:00
Joe Desimone b5e011a892 [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) 
* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

* bump date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-08-17 13:52:26 -03:00
Jonhnathan 9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-17 13:00:50 -03:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Ruben Groenewoud e938ed28a0 [Rule Tuning] added additional event action (#3008) 2023-08-10 16:59:07 +02:00
Ali Alwashali f500cec497 fixing typo in 127.0.0.1 address (#3004) 2023-08-08 17:06:26 +02:00
Ruben Groenewoud 4cbfd7c4ae [Rule Tuning] Restricted Shell Breakout (#2999) 2023-08-04 19:30:18 +02:00
Ruben Groenewoud e904ebb760 [New Rule] PE via Container Misconfiguration (#2983) 
* [New Rule] PE via Container Misconfiguration

* fixed boolean comparison unit test error

* Update privilege_escalation_container_util_misconfiguration.toml

* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-04 16:39:40 +02:00
Ruben Groenewoud ef49709c7d [New Rules] Linux Wildcard Injection (#2973) 
* [New Rules] Linux Wildcard Injection

* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-04 16:32:34 +02:00
Ruben Groenewoud c6eba3e4e6 [New Rule] Suspicious Symbolic Link Created (#2969) 
* [New Rule] Suspicious Symbolic Link Created

* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* fixed unit testing issues after suggestion commit

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 23:23:23 +02:00
Ruben Groenewoud 4bcec3397c [New Rule] Potential Suspicious DebugFS Root Device Access (#2982) 
* [New Rule] Potential DebugFS Privilege Escalation

* Changed rule name

* Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 16:13:34 +02:00
Ruben Groenewoud 207d94e51c [New Rule] Potential Sudo Token Manipulation via Process Injection (#2984) 
* [New Rule] Sudo Token Access via Process Injection

* [New Rule] Sudo Token Manipulation via Proc Inject

* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml

* Update privilege_escalation_sudo_token_via_process_injection.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 15:58:25 +02:00
Ruben Groenewoud 7cc841cc87 [New Rule] PE via UID INT_MAX Bug (#2971) 
* [New Rule] PE via UID INT_MAX Bug

* changed file name

* Should be more decisive

* fix

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-03 15:51:06 +02:00
Ruben Groenewoud a7ff449fbc [Rule Tuning] Some Tunings of several 8.9 rules (#2985) 
* [Rule Tuning] Doing some quick tunings

* updated_date bump

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_modprobe_enumeration.toml

* Update rules/linux/discovery_linux_sysctl_enumeration.toml

* Update rules/linux/persistence_init_d_file_creation.toml

* Update rules/linux/persistence_rc_script_creation.toml

* Update rules/linux/persistence_shared_object_creation.toml

* deprecate rule

* deprecate rule

* Update execution_abnormal_process_id_file_created.toml

* Update discovery_kernel_module_enumeration_via_proc.toml

* Update discovery_linux_modprobe_enumeration.toml

* Update execution_remote_code_execution_via_postgresql.toml

* Update discovery_potential_syn_port_scan_detected.toml

* Added 2 tunings, sorry I missed those..

* One more tune

* Update discovery_suspicious_proc_enumeration.toml
 2023-08-03 15:25:33 +02:00
Ruben Groenewoud 03110fb24c [New Rule] SUID/SGUID Enumeration Detected (#2956) 
* [New Rule] SUID/SGUID Enumeration Detected

* Remove endgame compatibility

* readded endgame support after troubleshooting

* Update discovery_suid_sguid_enumeration.toml

* Update rules/linux/discovery_suid_sguid_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 09:57:30 +02:00
Ruben Groenewoud 716b621af2 [New Rule] Potential Sudo Hijacking Detected (#2966) 
* [New Rule] Potential Sudo Hijacking Detected

* Update privilege_escalation_sudo_hijacking.toml
 2023-08-03 09:49:14 +02:00
Ruben Groenewoud 18c2214956 [New Rule] Sudo Command Enumeration Detected (#2946) 
* [New Rule] Sudo Command Enumeration Detected

* Update discovery_sudo_allowed_command_enumeration.toml

* revert endgame support due to unit testing fail

* Update discovery_sudo_allowed_command_enumeration.toml

* Update discovery_sudo_allowed_command_enumeration.toml

* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 09:39:16 +02:00
Ruben Groenewoud b8bb2da932 [New Rule] Potential Privilege Escalation via OverlayFS (#2974) 
* [New Rule] Privilege Escalation via OverlayFS

* Layout change

* Revert "[New Rule] Privilege Escalation via OverlayFS"

This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.

* Made rule broader

* Update privilege_escalation_overlayfs_local_privesc.toml

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml

* Update user.id to strings

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-07-31 19:15:11 +02:00
Eric 1e769c51b6 Tune Unusual File Activity ADS for Teams weblogs (#2929) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-31 10:41:31 -03:00
Jonhnathan 9387a081bc [Security Content] Add Investigation Guides to Threat Intel rules (#2827) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* [Security Content] Add Investigation Guides to Threat Intel rules

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

* Apply suggestions from review, adds Setup guide

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
 2023-07-27 11:30:14 -03:00
Ruben Groenewoud bbb24704b6 [New Rule] PE through Writable Docker Socket (#2958) 
* [New Rule] PE through Writable Docker Socket

* simplified query

* Update privilege_escalation_writable_docker_socket.toml

* Update privilege_escalation_writable_docker_socket.toml

* Update rules/linux/privilege_escalation_writable_docker_socket.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-27 10:01:29 +02:00
Ruben Groenewoud 0666b594c6 [New Rule] Linux Local Account Brute Force (#2965) 2023-07-27 09:43:53 +02:00
Jonhnathan 0ff50acfd2 [Rule Tuning] Tune Threat Indicator Match Rules (#2957) 
* [Rule Tuning] Tune Threat Indicator Match Rules

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-26 15:12:28 -03:00
Ruben Groenewoud b330cf9438 [New Rule] Pspy Process Monitoring Detected (#2945) 
* [New Rule] Pspy Process Monitoring Detected

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 15:58:33 +02:00
shashank-elastic 6527eb0500 Rule Tuning File Permission Modification in Writable Directory (#2961) 2023-07-26 17:47:00 +05:30
Eric d0d99829a2 Correct misspelling of AppDara to AppData (#2952) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 08:10:03 -03:00
Ruben Groenewoud 056db6003e [Security Content] Added Compatibility note to all IGs (#2943) 
* added investigation guide note

* added ig notes

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* implemented note feedback

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 12:54:50 +02:00
Ruben Groenewoud dbd7ed65a9 [Tuning] Reverse Shell Rules (#2959) 
* [Rule Tuning] Reverse Shell Rule destination.ip tuning

* Updated updated_date
 2023-07-25 14:55:56 +02:00
Ruben Groenewoud 8de2684498 [Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868) 
* [Investigation Guide] 10 new Linux IG's 8.9

* Added 4 more IG tags

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_backdoor_user_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_account_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/linux/persistence_message_of_the_day_execution.toml

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_init_d_file_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_rc_script_creation.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/persistence_systemd_scheduled_timer_created.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* implemented feedback

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-19 17:13:24 +02:00
Samirbous 97d429e314 [New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933) 
* [New] Suspicious Microsoft 365 Mail Access by ClientAppId

Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html

* Update initial_access_microsoft_365_abnormal_clientappid.toml

* Update initial_access_microsoft_365_abnormal_clientappid.toml
 2023-07-19 16:05:13 +01:00
Jonhnathan 5e714e01e6 [Security Content] Add Windows Investigation Guides (#2825) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Add IG Tag

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-19 08:07:01 -03:00
Jonhnathan d1491c3ce1 [Rule Tuning] Threat Intel URL Indicator Match (#2902) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-18 20:21:15 -03:00
Jonhnathan f1ba092864 [Deprecation] Threat Intel Indicator Match - General Rules (#2901) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-18 20:12:53 -03:00
Jonhnathan 23a133121d [Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932) 2023-07-18 08:55:59 -03:00
Isai 80e2b699b6 [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837) 
* [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container

new rule

* removed priv_esc tag

removed priv_esc tag

* adjusted tags

adjusted tags

* updated tags

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 15:03:24 -04:00
Isai db90345fd5 [Rule Tuning] Kubernetes Anonymous Request Authorized (#2865) 
* rule tuning for exclusions

* optimized query

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 13:03:05 -04:00
Isai 0b64638bf7 [New Rule] AWS Credentials Searched For Inside a Container (#2887) 
* new rule toml

* Updated query

updated query based on review and added additional search queries

* updated rule query based on review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 12:29:02 -04:00
Terrance DeJesus 0f5b5a3551 [Rule Tuning] Add Okta Investigation Guides Part 1 (#2899) 
* adding investigation guides for Okta rules

* Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added MFA to investigation guide for brute forcing

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-17 11:47:02 -04:00
Jonhnathan fca8bcc071 [Rule Tuning] PowerShell Rule Tunings (#2907) 
* [Rule Tuning] PowerShell Rule Tunings

* bump
 2023-07-14 15:41:36 -03:00
shashank-elastic 3ed8c56942 DR Linux Rule Tuning 8.9 (#2859) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-07-10 20:02:42 +05:30
Remco Sprooten 1283a21fb7 [New Rules] Potential portscan detected (#2817) 
* [New Rules] Potential portscan detected

* Updated descriptions

* Update rules/network/discovery_potential_syn_port_scan_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/network/discovery_potential_network_sweep_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/network/discovery_potential_port_scan_detected.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updating integration manifests and schemas

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-07-09 09:49:32 +02:00
Ruben Groenewoud e5d6d6e4a7 [New Rule] sus cmds executed by unknown executable (#2858) 
* [New Rule] sus cmds executed by unknown executable

* added an event.action filter

* Added endgame support, fixed stack version comment

* Update execution_suspicious_executable_running_system_commands.toml

* Update rules/linux/execution_suspicious_executable_running_system_commands.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_suspicious_executable_running_system_commands.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-06 17:32:56 +02:00
Ruben Groenewoud 4e0b7427b7 [New Rules] ftp/rdp bruteforce (#2910) 
* [New Rules] ftp/rdp bruteforce

* Update credential_access_potential_successful_linux_ftp_bruteforce.toml

* Update credential_access_potential_successful_linux_rdp_bruteforce.toml

* Update non-ecs-schema.json

* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-06 17:16:01 +02:00
Ruben Groenewoud d5dee5a6c8 [New Rules] sysctl and modprobe enumeration (#2844) 
* [New Rules] sysctl and modprobe enumeration

* Update discovery_linux_modprobe_enumeration.toml

* Update discovery_linux_sysctl_enumeration.toml

* reverted manifest/schema update

* updated tags

* Update discovery_linux_modprobe_enumeration.toml
 2023-07-06 16:46:54 +02:00
Terrance DeJesus cd7a52f1b1 [Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895) 
* forking rules with version collisions

* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
 2023-07-06 10:39:20 -04:00
Ruben Groenewoud 64b3fa8d1d [New Rule] Kernel Load/Unload via Kexec Detected (#2846) 
* [New Rule] Kernel Load/Unload via Kexec

* Added additional references

* changed rule name

* changed the query to be more precise

* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* changed description based on feedback

* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
 2023-07-06 16:03:27 +02:00
Ruben Groenewoud 646c316b66 [New Rules] Linux Reverse Shells (#2905) 
* [New Rules] Linux Reverse Shells

* [New Rules] Linux Reverse Shells

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_java_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Delete UDP rule to add in separate PR

* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Deleted one rule and tuned the others

* Improved the rules' performance

* Added the reverse_tcp rule back after tuning

* Update execution_shell_via_lolbin_interpreter_linux.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-07-06 15:27:57 +02:00