1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
cd2307ba7d
[New Rule] FirstTimeSeen User Performing DCSync ( #2433 )
...
* Create credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-02-02 15:44:31 +00:00
4bfcbeab36
[Rule Tuning] Unusual Network Activity from a Windows System Binary ( #2509 )
...
* [Rule Tuning] Unusual Network Activity from a Windows System Binary
* Update defense_evasion_network_connection_from_windows_binary.toml
2023-02-01 13:19:28 -03:00
748bdbf8b1
[New Rule] Enumerating Domain Trusts via Dsquery.exe ( #2508 )
...
* [New Rule] Enumerating Domain Trusts via Dsquery.exe
T1482 Domain Trust Discovery
New rule to capture domain trust discovery with dsquery.
* Update discovery_enumerating_domain_trusts_via_dsquery.toml
I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq
Other than that, LGTM!
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-02-01 10:27:42 -05:00
c6125004c1
[New Rules] WSL Related Rules ( #2463 )
...
* Create defense_evasion_wsl_registry_modification.toml
* Create defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_registry_modification.toml
* Update defense_evasion_wsl_child_process.toml
* Create defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_enabled_via_dism.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Delete defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Create defense_evasion_wsl_bash_exec.toml
* Delete defense_evasion_wsl_bash_exec.toml
* Create defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_registry_modification.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_kalilinux.toml
2023-02-01 15:10:28 +00:00
7fe08e7856
Update persistence_service_windows_service_winlog.toml ( #2516 )
2023-02-01 14:34:30 +00:00
be5cd23a64
[New Rules] Code Signing Policy Modification ( #2510 )
...
* [New Rules] Code Signing Policy Modification
* Fixed description & tags
* cleaned the query syntax
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-02-01 15:30:15 +01:00
5a31cb250d
[Rule Tuning] Unusual File Modification by dns.exe ( #2505 )
2023-02-01 11:10:05 -03:00
8c2cbae5a8
[New Rule] Potential PowerShell HackTool Script by Function Names ( #2474 )
...
* [New Rule] Potential PowerShell HackTool Script by Function Names
* Update execution_posh_hacktool_functions.toml
* Update execution_posh_hacktool_functions.toml
* Update execution_posh_hacktool_functions.toml
2023-01-31 17:21:36 -03:00
8e02c60ef6
[Rule Tuning] Enclose Rule Conditions within Parenthesis ( #2486 )
2023-01-31 16:56:19 -03:00
99f177a5ae
[Rule Tuning] Potential Credential Access via DCSync ( #2501 )
2023-01-31 16:50:39 -03:00
8519fad243
[Rule Tuning] Potential Remote Credential Access via Registry ( #2511 )
...
* [Rule Tuning] Potential Remote Credential Access via Registry
* Remove WEF index
2023-01-31 15:09:32 -03:00
d636f2d465
[Rule Tuning] T1069 and T1087 - admin wildcard ( #2484 )
...
Tuned both rules:relax the conditions by adding a wildcard to admin
2023-01-30 22:01:52 -05:00
5575400ee9
[Security Content] Add Investigation Guides for ML rules ( #2405 )
...
* [Security Content] Add Investigation Guides for ML rules
* .
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Place the guide in the correct rule
* Update guides to address IG refactor, and address sugestions
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-01-30 13:12:45 -03:00
54f65abdb0
[Rule Tuning] Potential Shadow Credentials added to AD Object ( #2498 )
2023-01-30 09:14:23 -03:00
b8adffa469
[New Rule] System Service Discovery through built-in Windows Utilities ( #2491 )
...
* [New Rule] System Service Discovery through built-in Windows Utilities
* added pe.original_file_name to net.exe
* fixed query style mistake
* fixed detection logic mistake
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-29 19:15:17 +01:00
c5ce910d3a
Create defense_evasion_timestomp_sysmon.toml ( #2476 )
2023-01-27 21:32:03 +00:00
b8dcc6ab4b
[New Rules] C2 via BITS and CertReq ( #2466 )
...
* Create command_and_control_certreq_postdata.toml
* Update command_and_control_certreq_postdata.toml
* Update command_and_control_certreq_postdata.toml
* Create command_and_control_ingress_transfer_bits.toml
* Update non-ecs-schema.json
* Update command_and_control_certreq_postdata.toml
* Update command_and_control_ingress_transfer_bits.toml
* Update rules/windows/command_and_control_certreq_postdata.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-27 20:17:36 +00:00
e737b4eb7c
[Tuning] added T1021.006 and T1563.001 ( #2497 )
...
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update credential_access_potential_linux_ssh_bruteforce_root.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
2023-01-27 19:51:22 +00:00
a1df310e56
[New Rule] T1553.006 - Untrusted Driver Loaded ( #2499 )
...
* Create defense_evasion_untrusted_driver_loaded.toml
* Update defense_evasion_untrusted_driver_loaded.toml
2023-01-27 19:46:35 +00:00
2372602c4e
[New Rules] Amsi Bypass ( #2473 )
...
* Create defense_evasion_amsi_bypass_powershell.toml
* Create defense_evasion_amsi_bypass_dllhijack.toml
* Update defense_evasion_amsi_bypass_dllhijack.toml
2023-01-26 06:03:53 +00:00
1c6e5a3448
[New Rule] Suspicious Inter-Process Communication via Outlook ( #2458 )
...
* Create collection_email_outlook_mailbox_via_com.toml
* Update non-ecs-schema.json
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 17:44:32 +00:00
1a5e64ce13
[New Rule] T1543.003 - Unsigned DLL Loaded by Svchost ( #2477 )
...
* Create persistence_service_dll_unsigned.toml
* Update non-ecs-schema.json
* Update persistence_service_dll_unsigned.toml
* Update rules/windows/persistence_service_dll_unsigned.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update detection_rules/etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update persistence_service_dll_unsigned.toml
* Update persistence_service_dll_unsigned.toml
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 17:11:38 +00:00
bcd8ef15ba
[New Rule] Unsigned DLL Side-Loading from a Suspicious Folder ( #2409 )
...
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update non-ecs-schema.json
* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 13:23:20 +00:00
8427c8cd22
Create credential_access_suspicious_lsass_access_generic.toml ( #2487 )
2023-01-25 09:43:35 +00:00
3b2d1af051
new guided onboarding rule ( #2492 )
2023-01-24 11:26:28 -05:00
f804c29f6d
[New Rule] PowerShell Script with Encryption/Decryption Capabilities ( #2489 )
...
* [New Rule] PowerShell Script with Encryption/Decryption Capabilities
* Update defense_evasion_posh_encryption.toml
2023-01-24 12:26:11 -03:00
644a094503
Group Policy Object Discovery through gpresult.exe ( #2483 )
...
* [New Rule] Group Policy Discovery Through gpresult.exe
* Fixed typo
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-24 12:10:57 +01:00
fc30b5881f
[New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities ( #2465 )
...
* [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities
* Bump sev
* Update rules/windows/collection_posh_clipboard_capture.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-01-24 07:58:48 -03:00
92ae27600f
[New Rule] PowerShell Mailbox Collection Script ( #2461 )
2023-01-24 07:54:55 -03:00
0aa87d7f4a
[Rule Tuning] Unusual Process For a Linux Host ( #2445 )
...
* [Rule Tuning] Unusual Process For a Linux Host
* .
2023-01-23 21:03:29 -03:00
77c8665f11
[Rule Tuning] Add endgame support for Linux Rules ( #2436 )
...
* [Rule Tuning] Add endgame support for Linux Rules
* [Rule Tuning] Add endgame support for Linux Rules
* .
* Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00
7cde7901e3
[Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions ( #2478 )
...
* [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions
* Update discovery_posh_suspicious_api_functions.toml
2023-01-23 20:35:43 -03:00
729ecf8b58
[New Rule] PowerShell Invoke-NinjaCopy script ( #2488 )
...
* [New Rule] PowerShell Invoke-NinjaCopy script
* Update credential_access_posh_invoke_ninjacopy.toml
* Update credential_access_posh_invoke_ninjacopy.toml
2023-01-23 20:00:57 -03:00
e3ff45e20c
[New Rule] System Time Discovery ( #2475 )
...
* [New Rule] System Time Discovery
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-18 13:01:57 +01:00
e5d81e77f7
[New Rule] Add Google Workspace Alert Center Promotional Rule ( #2471 )
...
* Add Google Workspace Alert Center Promotional Rule
* added severity mapping overrides
2023-01-17 12:09:13 -05:00
d81bc25d09
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 ( #2468 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6
* added newline in version lock file to trigger checks
* removed trailing newline from version lock file
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-01-13 15:20:23 -05:00
b61da98f97
[Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 ( #2467 )
...
* Bumping min-stack version for Google Workspace to 8.4
* changed 'updated_date' values
2023-01-13 13:29:28 -05:00
0e535e5931
[Rule Tuning] Remove unreleased timeline from alert correlation rules ( #2462 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-01-12 12:10:59 -03:00
cb88ad715c
[New Rule] Exchange Mailbox via PowerShell ( #2459 )
...
* Create collection_mailbox_export_winlog.toml
* Update collection_mailbox_export_winlog.toml
* Update collection_mailbox_export_winlog.toml
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-11 16:45:20 +00:00
8afda66487
[Rule Tuning] Suspicious WerFault Child Process ( #2437 )
...
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
2023-01-11 16:41:57 +00:00
9121a25b02
Update collection_email_powershell_exchange_mailbox.toml ( #2457 )
2023-01-11 16:29:01 +00:00
6acc0f9b11
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6 ( #2455 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6
* added newline in version lock file to trigger checks
* removed trailing newline from version lock file
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-10 09:50:41 -05:00
4124a82496
[Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules ( #2449 )
...
* [Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules
* Update privilege_escalation_posh_token_impersonation.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Adjust severity
2023-01-10 09:37:07 -03:00
7725e32126
[Security Content] Fix Osquery Markdown Plugin Escaped queries ( #2447 )
...
* [Security Content] Fix Osquery Markdown Plugin Escaped queries
* Re-add line
* Update credential_access_credential_dumping_msbuild.toml
* Update command_and_control_common_webservices.toml
2023-01-09 14:45:31 -03:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
896a25bc0f
Refactor file path name ( #2452 )
2023-01-05 22:10:55 +05:30
bdffab5722
adding initial solution ( #2448 )
2023-01-04 12:28:34 -05:00
Mika Ayenson