017d9a51b7
[Rule Tuning] Rename extrac.exe to extrac32.exe ( #1601 )
2021-11-14 17:01:13 -09:00
aa219710a1
Fix Windows path causing emoji to be rendered in Kibana ( #1585 )
...
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.
Surrounding the path in backticks fixes it.
2021-11-03 11:01:25 -05:00
f47b0f61cc
Change interval and lookback time for IM rule ( #1596 )
2021-11-01 09:27:38 +01:00
ff16832003
[Rule Tuning] Hosts File Modified - add process check for linux ( #1593 )
...
* [Rule Tuning] Hosts File Modified - add process check for linux
* add echo and sed to process names in query
2021-10-28 22:56:34 -05:00
c8cf88cd62
Refresh ECS (1.12.1) and beats (7.15.1) schemas ( #1584 )
...
* Refresh ECS (1.12.1) and beats (7.15.1) schemas
* update ecs to 1.10 for 7.14 stack validation
* add note with reference url
2021-10-28 11:24:28 -05:00
ab17dfcc28
[Bug] Tighten definitions validation patterns ( #1396 )
...
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-10-26 10:26:20 -05:00
ef7548f04c
[Rule Tuning] Added Powershell_ise.exe to some rules. ( #1566 )
...
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_webshell_detection.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_system_shells_via_services.toml
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_system_shells_via_services.toml
* Update persistence_webshell_detection.toml
* Update rules/windows/persistence_local_scheduled_task_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-26 12:16:31 -03:00
239384497f
[New Rule] PowerShell MiniDump Script ( #1528 )
...
* PowerShell MiniDump Script Initial Rule
* Update credential_access_posh_minidump.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_posh_minidump.toml
* Update rules/windows/credential_access_posh_minidump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-26 12:09:16 -03:00
4524c175c8
Add missing Integration field ( #1537 )
...
* Add missing Integration field
* Bump updated_date
* Add test for integration<->path
* Fix rule folder
* bump updated date in rule
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2021-10-26 12:05:12 -03:00
89553d84a9
[New Rule] AWS Route Table Created ( #1257 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_route_table_created.toml
* Update persistence_route_table_created.toml
* Update rules/persistence_route_table_created.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update persistence_route_table_created.toml
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_table_created.toml
* Update
* Update
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-26 10:25:53 -03:00
5a69ceb0c5
Add test for improper rule demotion (released production -> development) ( #1555 )
2021-10-19 21:47:36 -08:00
5bdf70e72c
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
2021-10-19 20:52:53 -08:00
f50fb1d61b
[New Rule] Suspicious Portable Executable Encoded in Powershell Script ( #1562 )
...
* Create execution_posh_portable_executable.toml
* Add wildcard
* Remove the wildcard
* Update rules/windows/execution_posh_portable_executable.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-18 17:50:16 -03:00
3ab67d1562
[New Rule] AWS EventBridge Rule Disabled or Deleted ( #1572 )
...
* Create aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-18 15:36:21 -03:00
cf2b3ee753
[New Rule] DNS-over-HTTPS Enabled by Registry ( #1379 )
...
* Create defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-10-15 23:25:12 -03:00
2c39bb962f
[New Rule] AWS EFS File System or Mount Deleted ( #1462 )
...
* AWS EFS File System or Mount Deleted
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update impact_efs_filesystem_or_mount_deleted.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 23:23:07 -03:00
702524b1f7
[New Rule] AWS Suspicious SAML Activity ( #1498 )
...
* Create privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Add trailing /
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 23:11:15 -03:00
50501bb40f
[New Rule] Azure Full Network Packet Capture Detected ( #1420 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Create exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 23:06:27 -03:00
790586fb57
[New Rule] Azure Virtual Network Device Modified or Deleted ( #1421 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_virtual_network_device_modified.toml
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml
* fix description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 16:11:05 -03:00
761df5fe84
[New Rule] Azure Kubernetes Pods Deleted ( #1309 )
...
* Create impact_kubernetes_pod_deleted.toml
* Update impact_kubernetes_pod_deleted.toml
* Update
* Update impact_kubernetes_pod_deleted.toml
* quote value in query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 16:07:39 -03:00
dc980effb0
[New Rule] AWS RDS Snapshot Restored ( #1312 )
...
* Create exfiltration_rds_snapshot_restored.toml
* Update exfiltration_rds_snapshot_restored.toml
* Delete exfiltration_rds_snapshot_restored.toml
* Create exfiltration_rds_snapshot_restored.toml
* Update
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update exfiltration_rds_snapshot_restored.toml
* Update exfiltration_rds_snapshot_restored.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 16:05:00 -03:00
3303a4e255
[New Rule] Microsoft 365 - Mass download by a single user ( #1348 )
...
* Create impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 16:01:50 -03:00
90504915ad
[New Rule] AWS Route53 hosted zone associated with a VPC ( #1365 )
...
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 15:59:33 -03:00
d7eab5bbf3
[New Rule] AWS STS AssumeRole Usage ( #1214 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create lateral_movement_sts_assumerole_abuse.toml
* Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml
* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add note field
* Update privilege_escalation_sts_assumerole_usage.toml
* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Adding Reference
* Expand STS
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-15 15:56:10 -03:00
27ba204f1c
[New Rule] GCP Kubernetes Rolebindings Created or Patched ( #1267 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* remove space from query
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-15 15:42:25 -03:00
7123d46623
[New Rule] Azure Blob Permissions Modification ( #1499 )
...
* Create defense_evasion_azure_blob_permissions_modified.toml
* Update defense_evasion_azure_blob_permissions_modified.toml
* Update defense_evasion_azure_blob_permissions_modified.toml
* Update description and query (spacing)
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-14 06:59:24 -03:00
3d15c2072d
[New Rule] Azure Kubernetes Events Deleted ( #1307 )
...
* Create defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add quotes to azure query field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-14 06:57:33 -03:00
b7dcbbae72
[New Rule] PowerShell Suspicious Discovery Related Windows API Functions ( #1548 )
...
* PowerShell Suspicious Discovery Related Windows API Functions Initial Rule
* Update severity
* Lint
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-14 06:54:45 -03:00
cc241c0b5e
[Rule Tuning] Update network.direction ( #1547 )
...
* Update network.direction
* bump updated_date
2021-10-13 21:46:36 -03:00
11fa592c6f
[New Rule] Microsoft 365 - Impossible travel activity ( #1344 )
...
* Create initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Updated Directory
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update initial_access_microsoft_365_impossible_travel_activity.toml
* Update initial_access_microsoft_365_impossible_travel_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-12 19:11:32 -03:00
c8ac37957d
[New Rule] Microsoft 365 - User Restricted from Sending Email ( #1345 )
...
* Create initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml
* Fix technique
* update description and FP
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-12 18:32:54 -03:00
fa9da023dd
[New Rule] Microsoft 365 - Unusual Volume of File Deletion ( #1347 )
...
* Create impact_microsoft_365_unusual_volume_of_file_deletion.toml
* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml
* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml
* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml
* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml
* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml
* Update rules/microsoft-365/impact_microsoft_365_unusual_volume_of_file_deletion.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml
* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml
* Add missing `\`
* Bump to prod and update description
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-12 18:30:49 -03:00
98c217ece9
[New Rule] Microsoft 365 - Potential ransomware activity ( #1346 )
...
* Create impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_potential_ransomware_activity.toml
* Update impact_microsoft_365_potential_ransomware_activity.toml
* bump to prod
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-12 18:26:17 -03:00
82e72a956b
[New Rule] AWS Route Table Modified or Deleted ( #1258 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* Update persistence_route_table_modified_or_deleted.toml
* remove space from query
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-12 15:16:48 -03:00
cdbd5a6515
[New Rule] Rules to detect screensaver persistence on macOS ( #1531 )
...
* add macos screensaver persistence rules
* change uuid
* update name
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* add T1546
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-07 08:22:58 -06:00
43f0d77033
Update defense_evasion_execution_windefend_unusual_path.toml ( #1492 )
...
* Update defense_evasion_execution_windefend_unusual_path.toml
Add Microsoft Security Client to exclusions.
* Update defense_evasion_execution_windefend_unusual_path.toml
Update updated_date
* Updated author
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-05 16:38:01 -03:00
9508002bb3
[New Rule] AWS ElastiCache Security Group Created ( #1363 )
...
* Create persistence_elasticache_security_group_creation.toml
* Update
* Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml
* Update defense_evasion_elasticache_security_group_creation.toml
* Update defense_evasion_elasticache_security_group_creation.toml
* Re-add rule.threat
* Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* remove extra space from query
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-05 14:00:29 -03:00
3b0d2006b7
Made these pull requests before the directory restructure. ( #1517 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-05 09:29:40 -03:00
0a3c44e8db
[Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created ( #1514 )
2021-10-04 13:31:31 -08:00
d5a8f41864
[Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin ( #1524 )
...
* Updated rule to include resizing
* lint
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2021-10-04 16:00:35 -03:00
f2b58cc0ab
[New Rule] Backup Files Deletion ( #1516 )
...
* Add Backup Files Deletion Initial Rule
* Fix creation date
* Add updated_date
* Adjust description and query
* Update Description
* Update rules/windows/impact_backup_file_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add false_positives
* Update impact_backup_file_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-04 15:55:52 -03:00
f41714642c
[New Rule] AWS ElastiCache Security Group Modified or Deleted ( #1364 )
...
* Create impact_aws_elasticache_security_group_modified_or_deleted.toml
* Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Update
* Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Update impact_elasticache_security_group_modified_or_deleted.toml
* Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-04 15:38:37 -03:00
6298f7b00a
[New Rule] Volume Shadow Copy Deletion via PowerShell ( #1358 )
...
* Create defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml
* Rename defense_evasion_volume_shadow_copy_deletion_via_powershell.toml to impact_volume_shadow_copy_deletion_via_powershell.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Add trailing /
* Update rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-10-04 14:58:02 -03:00
ba9c01be50
Rename new_or_modified_federation_domain.toml to correspond with tactic ( #1511 )
2021-09-30 13:08:35 -08:00
5e4a7e67df
[Rule Tuning] Small update on rule descriptions ( #1508 )
2021-09-30 12:54:15 -08:00
76a0224f60
[New Rule] Virtual Machine Fingerprinting via Grep ( #1510 )
...
* [New Rule] Virtual Machine Fingerprinting via Grep
* format
* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added reference url
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-30 20:40:05 +02:00
521e4dc8f1
[New Rule] Potential Lsass Memory Dump via MirrorDump ( #1504 )
...
* [New Rule] Potential Lsass Memory Dump via MirrorDump
* added tactic
* switched to kql
* added sysmon process access non ecs types
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* rule.name as suggested by Justin and converted to EQL to add comments
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-30 10:16:36 +02:00
d28c48f20f
[New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted ( #1393 )
2021-09-29 09:08:09 -08:00
a51ed86851
[New Rule] New or Modified Federation Domain ( #1212 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_new-or-modified-federation-domain.toml
* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update .gitignore
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update persistence_new_or_modified_federation_domain.toml
* Update
* Update persistence_new_or_modified_federation_domain.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-29 09:16:17 -03:00
5ac7fb639c
[New Rule] O365 Exchange Suspicious Mailbox Right Delegation ( #1211 )
2021-09-27 13:18:33 -08:00
Jonhnathan