b0ca02605f
[New Hunt] Potential Spoofed microsoftonline.com via Fuzzy Match ( #4770 )
...
* new hunt for spoofed MSFT domains
* added lookback time to ESQL query
2025-06-26 12:38:48 -04:00
bfca0ea414
[New Hunt] Commvault Supply Chain Threat ( #4748 )
...
* hunts for CommVault threat
* added lookback time to ESQL query
* updated query logic
2025-05-28 14:11:46 -04:00
909ff9c07e
new hunt 'Microsoft Entra Infrequent Suspicious OData Client Requests' ( #4708 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-05-09 22:14:42 -04:00
bbfc026c95
[New Hunt] New Hunting Queries for DPRK ByBit ( #4644 )
...
* new hunting queries for macOS DPRK
* added docker hunting queries
2025-04-23 16:41:23 -04:00
ba16e27edb
[Rule Tuning] Tuning Azure Service Principal Credentials Added ( #4570 )
...
* tuning 'Azure Service Principal Credentials Added'
* updated patch version
* added investigation guide
* updating patch version
* updating patch version
2025-04-16 13:58:17 -04:00
7c4f334a00
[New Hunt] Adding Hunting Queries for Azure Entra Sign-In Anomalies ( #4527 )
...
* adding new hunts for Azure entra sign-in anomalies
* fixing commented query logic; added hydra user agent
2025-03-11 10:27:08 -04:00
1851ab91fd
new hunting queries for Azure device code ( #4468 )
2025-02-21 11:00:34 -05:00
0b98462cfe
[New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection ( #4458 )
...
* new hunting queries for SNS
* added KEEP to all queries; adjusted description in SNS rule
2025-02-20 10:53:36 -05:00
b13d6bf314
[New Hunt] Persistence via NetworkManager Dispatcher Script ( #4408 )
2025-02-06 09:33:42 +01:00
802419178c
[New Hunt] Persistence via Desktop Bus (D-Bus) ( #4407 )
2025-02-05 16:45:17 +01:00
1aea556998
[New Hunt] Persistence via PolicyKit ( #4406 )
...
* [New Hunt] Persistence via PolicyKit
* ++
2025-02-05 16:29:47 +01:00
6fa8a862a2
[New Hunt] General Kernel Manipulation ( #4403 )
...
* [New Hunt] General Kernel Manipulation
* Update index.yml
2025-02-05 16:18:51 +01:00
4e95bc7891
[New Hunt] Adding Hunting Query for IAM Unusual Default Aviatrix Role Activity ( #4409 )
...
* new hunt 'unusual aviatrix default role activity'
* added additional investigation notes
2025-01-28 12:09:29 -05:00
bbcf0c7c34
[New Hunt] Persistence via Initramfs ( #4402 )
...
* [New Hunt] Persistence via Initramfs
* Update index.yml
2025-01-27 10:19:44 +01:00
80fe96109b
[New & Tuning] Persistence via GRUB Bootloader ( #4401 )
...
* [New & Tuning] Persistence via GRUB Bootloader
* testing github version code workflow update
* testing github version code workflow re-order
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2025-01-27 09:58:43 +01:00
a2b280a6fd
[New Hunts] Adding Several Hunting PRs into this Main PR ( #4342 )
...
* [New Hunt] Linux PAM Persistence
* Fixed notes
* [New Hunt] Persistence via Dynamic Linker Hijacking
* [New Hunt & Tuning] Persistence via LKMs
* [New Hunt] Persistence via Web Shells
* Update query
* [New Rule] Persistence via DPKG/RPM Package
* [New Hunt] Persistence via Container
* Update hunting/linux/queries/persistence_via_pluggable_authentication_module.toml
* [Hunt Addition] System User Interactive Session
* Merge branch 'main' into new-hunts-PAM
* Updates
* ++
* Match RTA bin executor
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2025-01-07 14:29:17 +01:00
28ffebbf5c
[New Hunt] Adding Hunting Query for AWS IAM Unusual AWS Access Key Usage for User ( #4280 )
...
* new hunt 'AWS IAM Unusual AWS Access Key Usage for User'
* updated version
* updating markdown
* bumping version
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-12 14:56:20 -05:00
a92fdc18a1
[New Rule] Adding Coverage for AWS IAM Customer-Managed Policy Attached to Role by Rare User ( #4245 )
...
* adding new rule 'AWS IAM Customer-Managed Policy Attached to Role by Rare User'
* adding investigation guide tag
* adds new hunting query
* updated notes
* changed name
* adjusting pyproject.toml version
2024-11-06 13:36:13 -05:00
50e23ba242
[Hunting] Re-factor Hunting Library Code ( #4085 )
...
* updating python code for hunting library
* fixed okta queries; added MITRE search capability
* fixed hunting unit test imports
* fixed duplicate UUID; fixed duplicate index entry bug
* fixed technique finding sub-technique in search
* added more unit tests
* linted
* flake errors addressed; fixed unit test import; fixed markdown generate bug
* added description for generate-markdown command
* updated README
* adjusted YAML index, adjusted code for index changes
* adjusted relative imports; updated CODEOWNERS
* adding updates; moving to different branch for main dependencies
* finished run-query command; made some code adjustments
* removed some comments
* revised makefile; fixed unit tests; adjusted detection rules pyproject
* updated README
* updated README
* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands
* adjusted package to be more object-oriented
* removed unused variable
* Add simple breakdown stats
* addressed feedback; added keyword option for search
* Update hunting/README.md
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/etc/test_hunting_cli.bash
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
* addressing feedback
* addressed feedback
* added message for unknown index; fixed function call
* fixed search command
* fixed flake error
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-10-03 12:47:40 -04:00
Terrance DeJesus