* adjusted query to exclude OneDrive process name and MS Teams DLL reference in registry data strings
* adjusted formatting for altered query
* removed unecessary string used for reference
* removed unecessary parenthesis from new filters in query
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* added FileSyncConfig.exe for OneDrive, added regsvr32 to Teams DLL filter
* added investigation notes
* removed comment from original rule creation
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* add RDS instance deletion to aws rule
I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection.
* Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Update persistence_ec2_security_group_configuration_change_detection
Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'.
* update to improve rule coverage
I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters.
* Revert "update to improve rule coverage"
This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
* added comprehensive file timeline to Hosts File Modified rule
* added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule
* updated rules to have generic instead of comprehensive
* updated several rules with timeline ID and timeline title values
* changed updated_date for threat intel fleet integrations
* added missing templates to timeline_templates dict in definitions.py
* added comprehensive timeline templates to alerts after definitions.py was updated
* updated rules with comprehensive timeline templates and added min stack comments and versions
* removing timeline template changes which is tracked in #1904
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* Delete Pipfile
Removing pipfile
* Delete Pipfile.lock
deleting pipfile.lock
* Update rules/windows/execution_command_shell_started_by_svchost.toml
updating title
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
* fixed duplicated file name
* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied
* moved rule back to production, added investigation notes and sequencing to EQL query
* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes
* updating with minor changes
* adjusted related rules
* adjusted investigation notes
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* TOML linted and adjusted updated date
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* [New Rule] Potential Remote Credential Access via Registry
4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).
Example of data :
* Delete workspace.xml
* Update credential_access_remote_sam_secretsdump.toml
* Update credential_access_remote_sam_secretsdump.toml
* add non ecs field
* Update non-ecs-schema.json
* Update credential_access_remote_sam_secretsdump.toml
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Jonhnathan