security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

2412 Commits

Author SHA1 Message Date
Jonhnathan 4538bfcd9f [Rule Tuning] 3rd Party EDR Compatibility - 2 (#4019) 
* [Rule Tuning] 3rd Party EDR Compatibility - 2

* Update credential_access_iis_connectionstrings_dumping.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date
 2024-10-11 12:55:31 -03:00
Jonhnathan 6be1f0bad6 [Rule Tuning] 3rd Party EDR Compatibility - 1 (#4017) 
* [Rule Tuning] 3rd Party EDR Compatibility - 1

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* bump updated_date to 8.16 release date

* min_stack for merge, bump updated_date

* Update rules/windows/command_and_control_port_forwarding_added_registry.toml
 2024-10-11 12:09:11 -03:00
Terrance DeJesus 06319b7a13 [Rule Tuning] Add KEEP Command to all ES|QL Rules (#4146) 
* updating ES|QL rules to include KEEP command

* fixed some ES|QL rules with typos; added validation for KEEP command

* fixed ES|QL errors from missing fields

* fixed flake errors

* updated date

* added best practices to hunt docs
 2024-10-09 21:08:38 -04:00
Terrance DeJesus 281926052c [Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing (#4126) 
* fixed existing rules;added query checks

* fixed flake errors

* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules

* removed valueError and replaced ValidationError

* adjusted validation error output based on feedback

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* added space for failure

* updated to use re.compile

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-09 15:25:36 -04:00
Terrance DeJesus 7674229f49 [New Rule] Successful Application SSO from Rare Unknown Client Device (#4141) 
* new rule 'Successful Application SSO from Rare Unknown Client Device'

* removing extra newlines

* adjusted tags; adjusted risk
 2024-10-07 12:11:57 -04:00
Terrance DeJesus 45a347580c [Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request (#4118) 
* fixing single equal operator

* Additional data source tag for consistency

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2024-10-02 15:50:22 -04:00
Samirbous a68a404bd8 Update defense_evasion_posh_assembly_load.toml (#4112) 2024-10-01 17:30:38 +05:30
Ruben Groenewoud 5b41bbd5e9 [Tuning] Updated references (#4114) 2024-10-01 08:43:14 -03:00
Terrance DeJesus ef4e433d97 [Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Microsoft 365 Rules (#4105) 
* tuning M365 impossible travel activity rules

* added additional filters for user type logins

* adjusted updated date
 2024-09-28 18:13:03 -04:00
Samirbous 1d1b2eb90f Update command_and_control_tunnel_vscode.toml (#4104) 2024-09-28 11:46:46 +01:00
shashank-elastic ef95a541f4 Fix GenAI Request Model ID Field (#4111) 2024-09-27 21:59:02 +05:30
Ruben Groenewoud a3e89a7fab [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) (#4106) 
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE)

* Description update

* Investigation Guide Update
 2024-09-27 14:48:03 +02:00
Mika Ayenson b80d8342d6 [Docs | Rule Tuning] Add blog references to rules (#4097) 
* [Docs | Rule Tuning] Add blog references to rules

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from code review

* Update google_workspace blog references

* add okta blog references

* Update dates

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-25 15:19:20 -05:00
Isai 0ed6b3f0a2 [Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time (#4094) 
Tuning this rule to exclude identity type `AssumedRole` as this is too common a behavior, often automated, and used to verify current identity and role assumptions. Therefore it is not as indicative of suspicious behavior when used by assumed roles. This rule will still trigger for `IAM User` and `Federated User` identity types. In telemetry this change reduces alerts from ~240,000 to 43 in the last 30 days.
 2024-09-24 09:32:12 -04:00
Samirbous 5e0fb4a63e [Tuning] Add logs-panw.panos index to Network rules (#4089) 
* [Tuning] Add logs-panw.panos index to Network rules

https://github.com/elastic/detection-rules/issues/3998

This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.

* add tag and integration

* Update command_and_control_fin7_c2_behavior.toml

* Build Manifest and Schema for panw integration

* Update definitions.py

* Update definitions.py

* Fix definitions declaration

---------

Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co>
 2024-09-19 08:01:44 +01:00
Samirbous def2a9ef09 [New] ROT encoded Python Script Execution (#4084) 
* [New] ROT encoded Python Script Execution

* Update defense_evasion_encoding_rot13_python_script.toml

* ++

* Update defense_evasion_encoding_rot13_python_script.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-17 16:52:46 +01:00
shashank-elastic 814130bf34 min_stack New Rules that use the S1 Integration (#4081) 2024-09-16 20:12:09 +05:30
Jonhnathan 7c78e4081f [Rule Tuning] min_stack New Rules that use the S1 Integration (#4079) 
* [Rule Tuning] min_stack New Rules that use the S1 Integration

* Update execution_windows_powershell_susp_args.toml

* Update execution_initial_access_foxmail_exploit.toml
 2024-09-16 11:02:46 -03:00
Samirbous 31ca246ea7 [New] Potential Foxmail Exploitation (#4044) 
* Create execution_initial_access_foxmail_exploit.toml

* Update execution_initial_access_foxmail_exploit.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-16 12:29:40 +01:00
Samirbous 41a7a5f049 [New] Execution via Windows Command Debugging Utility (#3918) 
* [New] Execution via Windows Command Debugging Utility

https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/

* Update defense_evasion_lolbas_win_cdb_utility.toml

* ++

* Update defense_evasion_lolbas_win_cdb_utility.toml
 2024-09-16 09:14:39 +01:00
Samirbous f26d7fc81b [New] Persistence via a Windows Installer (#4055) 
* Create persistence_msi_installer_task_startup.toml

* Update persistence_msi_installer_task_startup.toml

* Update persistence_msi_installer_task_startup.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-16 07:50:57 +01:00
Samirbous b60b6e2af3 [New] Attempt to establish VScode Remote Tunnel (#4061) 
* [New] Attempt to establish VScode Remote Tunnel

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update command_and_control_tunnel_vscode.toml

* Update rules/windows/command_and_control_tunnel_vscode.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2024-09-16 07:39:39 +01:00
Samirbous 3a3400c8e5 [New] MsiExec Service Child Process With Network Connection (#4062) 
* [New] MsiExec Service Child Process With Network Connection

converted an ER diag rule to SIEM rule as it matches on a good number of MSI related FNs.

* Update defense_evasion_msiexec_child_proc_netcon.toml

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 20:22:44 +01:00
Samirbous 56fc2beb46 [New] Suspicious PowerShell Execution via Windows Scripts (#4060) 
* [New] Suspicious PowerShell Execution via Windows Scripts

this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.

* Update execution_powershell_susp_args_via_winscript.toml

* Create defense_evasion_script_via_html_app.toml

* ++

* Update defense_evasion_script_via_html_app.toml

* Update execution_powershell_susp_args_via_winscript.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 19:51:21 +01:00
Samirbous b6162abefa [New] WPS Office Exploitation via DLL Hijack (#4043) 
* Create execution_initial_access_wps_dll_exploit.toml

* Update execution_initial_access_wps_dll_exploit.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-09-15 11:23:35 +01:00
Samirbous 9255dafe53 [New] Detonate LNK TOP Rules (#4058) 
* [New] Detonate LNK TOP Rules

the following two rules are the top ones matching on TPs from detonate for LNK files, converting them to SIEM rules compatible with Sysmon/Winlogbeat, SentinelOne and M365 Defender :

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution.toml#L8

https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml#L8

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_powershell_susp_args.toml

* Update rules/windows/execution_windows_cmd_shell_susp_args.toml

* Update rules/windows/execution_windows_powershell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

* Update execution_windows_cmd_shell_susp_args.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-15 10:49:17 +01:00
Terrance DeJesus bb9a772870 [New Rule] Okta Public Client App OAuth Token Request with Client Credentials (#4074) 
* adding new rule for Okta public client app OAuth token request with client credentials

* Update detection_rules/etc/non-ecs-schema.json

* changing new terms to okta.actor.display_name

* linted; added references
 2024-09-13 14:57:49 -04:00
Samirbous cad3865fcf [New] Potential Escalation via Vulnerable MSI Repair - CVE-2024-38014 (#4076) 
* [New] Potential Escalation via Vulnerable MSI Repair

https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/

* Update privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-13 17:57:44 +01:00
shashank-elastic 3e25ea8c2b [New Rule] AWS Bedrock Detections (#4072) 2024-09-13 19:46:47 +05:30
Thijs Xhaflaire df1f0bc98e [New Rule] Add Jamf Protect detection rules (#4047) 
* Create privilege_escalation_user_added_to_admin_group.toml

* Update privilege_escalation_user_added_to_admin_group.toml

* Update privilege_escalation_user_added_to_admin_group.toml

* Adding pbpaste detection rule and minor adjustments to user added to group

* Update credential_access_high_volume_of_pbpaste.toml

* Update credential_access_high_volume_of_pbpaste.toml

* Adding two rules to validate our approach.

* Updated index to "logs-jamf_protect*"

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml

* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml

* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Moved to rules/macos folder

* Removed rules from integration/jamf folder

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_high_volume_of_pbpaste.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* minstack rules and support jamf_protect non-dataset

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
 2024-09-12 15:03:56 -05:00
Terrance DeJesus 29051c2e33 [New Rule] Cross Platform: AWS SendCommand API Call with Run Shell Command Parameters (#4052) 
* add new rule 'AWS SSM  with Run Shell Command Parameters'

* linting

* Update rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* reverting suggestion; causes KQL parser errors for optimization

* fixing query command filter

* added linux event type filter

* fixing array

* fixed description

* Update rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-11 13:40:25 -04:00
Jonhnathan 127a56aede [Rule Tuning] Remote Execution via File Shares (#4067) 
* [Rule Tuning] Remote Execution via File Shares

* Update lateral_movement_execution_via_file_shares_sequence.toml
 2024-09-11 10:49:41 -03:00
Samirbous dc9c58527f [Tuning] Unusual Network Activity from a Windows System Binary (#4065) 
* Update defense_evasion_network_connection_from_windows_binary.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-09-10 13:30:56 -03:00
Terrance DeJesus 8d27b6069b [Rule Tuning] M365/Azure Brute-Forcing New Rule and Tuning; Deprecate Similar Rule (#4057) 
* deprecated rule; tuned for single source inclusion

* adjusted query comments

* added min-stack

* updated date

* added Azure-based rule for brute forcing

* added reference to o365spray

* fixed tag

* adjusted query comment

* added rule for repeat source

* adjusted query to use count distinct

* added intervals; adjusted lookback window according to time truncation
 2024-09-10 11:26:40 -04:00
Terrance DeJesus 0a08f5e677 [New Rule] New Microsoft 365 Impossible Travel Rules and Deprecation (#4054) 
* new impossible travel rules for o365; deprecated development rule

* deleted development rule as it has not lock version

* reverted rule deletion, added note about reliability and related rules
 2024-09-05 17:36:56 -04:00
Samirbous e30dc312e4 [Tuning] Potential Execution via XZBackdoor (#4053) 
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml

* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
 2024-09-05 20:13:32 +01:00
Terrance DeJesus be611be8b3 [New Rule] Instance Metadata Service (IMDS) API Requests - Linux (#4005) 
* new rule metadata API requests

* updated description and name

* added Ipv6

* adjusted query

* rule name fix

* changed to EQL; added discovery tactic

* removed timestamp override

* adding host.os.type

* adjusted description

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* adjusted query

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-09-05 10:08:32 -04:00
Ruben Groenewoud 9f964b68a4 [New Rule] Root Certificate Installation (#4025) 
* [New Rule] Root Certificate Installation

* Update defense_evasion_root_certificate_installation.toml

* Update rules/linux/defense_evasion_root_certificate_installation.toml
 2024-09-03 17:40:17 +02:00
Ruben Groenewoud b3a75899d5 [New Rule] SELinux Configuration Creation or Modification (#4024) 
* [New Rule] SELinux Configuration Creation or Modification

* Update rules/linux/defense_evasion_selinux_configuration_creation_modification.toml

* Rename defense_evasion_selinux_configuration_creation_modification.toml to defense_evasion_selinux_configuration_creation_or_renaming.toml

* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml

* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
 2024-09-01 10:14:59 +02:00
Ruben Groenewoud fb07033159 [New Rule] Attempt to Disable Auditd Service (#4028) 
* [New Rule] Attempt to Disable Auditd Service

* Update defense_evasion_attempt_to_disable_auditd_service.toml

* Update rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-09-01 09:51:13 +02:00
Ruben Groenewoud 30cd1b6a00 [New Rule] Potential Defense Evasion via Doas (#4027) 
* [New Rule] Potential Defense Evasion via Doas

* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml

* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Rename defense_evasion_doas_configuration_creation_or_modification.toml to defense_evasion_doas_configuration_creation_or_rename.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-08-29 21:19:13 +02:00
Ruben Groenewoud 19b4a4d7dd [New Rule] SSL Certificate Deletion (#4026) 
* [New Rule] SSL Certificate Deletion

* Update defense_evasion_ssl_certificate_deletion.toml

* Update rules/linux/defense_evasion_ssl_certificate_deletion.toml
 2024-08-29 21:10:59 +02:00
Terrance DeJesus 1ff26cf53e [New Rule] New Rules AWS Multi-Region Discovery of EC2 Instances and Quotas (#4015) 
* new rules AWS EC2 discovery in multiple-regions

* adjusted query and from window

* added event providers, adjusted tags, changed file name
 2024-08-28 13:42:32 -04:00
Samirbous 3e831b82c3 Update credential_access_suspicious_web_browser_sensitive_file_access.toml (#4029) 
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-08-28 16:33:44 +01:00
Terrance DeJesus 6aaccc64a6 [New Rule] AWS CLI Command with Custom Endpoint URL (#4002) 
* new rule AWS CLI COmmand with Custom Endpoint URL

* fixed query

* added host os type

* added timestamp override
 2024-08-28 09:58:08 -04:00
Jonhnathan e60c21b37b [Rule Tuning] Enumeration of Privileged Local Groups Membership (#4016) 2024-08-27 09:54:19 -03:00
Jonhnathan 70c3a6f7b1 [Rule Tuning] Potential privilege escalation via CVE-2022-38028 (#4004) 2024-08-22 15:32:28 -03:00
Ruben Groenewoud 162a48c97f [New Rule] Openssl Client or Server Activity (#3930) 
* [New Rule] Openssl Client or Server Activity

* Endgame support

* Added one exclusion

* Update execution_shell_openssl_client_or_server.toml

* Update execution_shell_openssl_client_or_server.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-08-22 16:53:31 +02:00
Kirti Sodhi dfbf86e853 Update ProblemChild detection rules with High and Low probability (#4000) 
* Updated ProblemChild detection rules
 2024-08-22 09:17:41 -04:00
Terrance DeJesus b6b6f6b482 [New Rule] First Occurrence AWS STS Temporary Credential Request by User (#3991) 
* adding new rule 'First Occurrence of STS GetFederationToken Request by User'

* added integration tag

* Update rules/integrations/aws/defense_evasion_sts_get_federation_token.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* added reference

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-08-21 20:17:10 -04:00