83462a3087
[New] Potential File Download via a Headless Browser ( #3660 )
...
* [New] Potential File Download via a Headless Browser
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_common_webservices.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
2024-05-14 13:55:14 +01:00
d505b95f3c
[New Rule] AWS EC2 AMI Shared with Another Account ( #3600 )
...
* new rule 'AWS EC2 AMI Shared with Another Account'
* linted; updated UUID
* added investigation guide
* updated description
* fixed spelling errors
* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* fixed spacing issue
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-14 01:56:26 -04:00
38e0f13e23
[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role ( #3586 )
...
* new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance'
* updated description and name
* added investigation guide; adjusted description
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated query logic
* fixed spacing issue
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-05-13 23:07:39 -04:00
78837549e8
[FR] Bundle KQL & Kibana libs into base dependencies ( #3662 )
2024-05-13 14:29:03 -05:00
094ef22604
[Bug] Update Rule Formatter ( #3668 )
...
* Update Rule Formatter
* Only apply fix to Note
2024-05-13 15:00:01 -04:00
6150f222b2
[New Rule] Alternate Data Stream Creation at Volume Root Directory ( #3517 )
...
* [New Rule] Alternate Data Stream Creation at Volume Root Directory
* Update defense_evasion_root_dir_ads_creation.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-13 08:35:12 -03:00
1fb58e1b61
[Tuning] MacOS Comprehensive Detection Rule Tuning ( #3435 )
...
* Update to use new data source
* Exclude FPs
* Update logic
* Exclude FPs
* Update to match ER logic
* Exclude FP
* Update to match endpoint rule and reduce FPs
* Update logic to reduce FPs
* Update logic to reduce FPs
* Exclude FPs
* Update logic to remove FPs
* Update logic to reduce FPs
* Update logic and min stack version to reduce FPs
* Exclude FP
* Remove FPs
* Update logic and min stack to reduce FPs
* Exclude FPs
* Update logic and min stack to exclude FPs
* Update logic and min stack to exclude FPs
* Update logic to be more efficient
* Update logic
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
* Update persistence_folder_action_scripts_runtime.toml
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/credential_access_credentials_keychains.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/persistence_loginwindow_plist_modification.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Fix
* Fix
* Fix
* Update min stack comments
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_systemkey_dumping.toml
* Update rules/macos/discovery_users_domain_built_in_commands.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Remove field
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-11 12:52:18 -05:00
11dca27974
[New Rule] Potential Widespread Malware Infection ( #3656 )
...
* [New Rule] Potential Widespread Malware Infection
* Update potential_widespread_malware_infection.toml
* .
* Update execution_potential_widespread_malware_infection.toml
* Update rules/cross-platform/execution_potential_widespread_malware_infection.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/execution_potential_widespread_malware_infection.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-05-10 13:51:04 -03:00
6cc39a538f
[New Rule] Potential PowerShell HackTool Script by Author ( #2472 )
...
* [New Rule] Potential PowerShell HackTool Script by Author
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-09 18:41:56 -07:00
69595a5f69
updated query logic
2024-05-09 18:31:50 -07:00
f85d7482fd
[New Rule] Potential PowerShell HackTool Script by Author ( #2472 )
...
* [New Rule] Potential PowerShell HackTool Script by Author
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-09 13:00:41 -03:00
7a61070e08
[Tuning] Component Object Model Hijacking ( #3655 )
...
* [Tuning] Component Object Model Hijacking
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
* Update persistence_suspicious_com_hijack_registry.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-08 17:44:35 +01:00
65441b8e67
[FR] Update readme with wsl instructions for py312 ( #3649 )
...
* Update README
* Removed DaC Specifics
* Add troubleshooting guide.
* Update Troubleshooting.md
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-05-07 13:50:40 -04:00
4a2e2764cd
[New] Ransomware over SMB ( #3638 )
...
* [New] Ransomware over SMB
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_ransomware_file_rename_smb.toml
* ++
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_ransomware_file_rename_smb.toml
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_high_freq_file_renames_by_kernel.toml
2024-05-07 06:38:14 +01:00
84437bac03
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3650 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Bumping status checks
* undo bump
---------
Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2024-05-06 12:44:32 -04:00
4396a91b40
[New Rule] Unusual High Confidence Misconduct Blocks Detected ( #3647 )
2024-05-06 07:32:02 -05:00
a4a0bc6a7e
[Bug] Query validation failing to capture InSet edge case with ip field types ( #3572 )
...
* Move test case to separate file
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-05-06 07:58:42 -04:00
51268581a8
[Rule Tuning] AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User ( #3646 )
2024-05-04 08:20:20 -05:00
613457b97f
[New Rules] AWS Bedrock Guardrails Violations ( #3641 )
...
* [New Rules] AWS Bedrock Guardrails Violations
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-05-03 20:55:27 -06:00
2ffb0e7fe2
[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes ( #3644 )
2024-05-03 18:01:53 -05:00
c8c8c96956
[FR] Add ability to generate hunt index ( #3643 )
2024-05-03 13:43:22 -05:00
00b8a77f50
[FR] Add Hunt Structure and Initial LLM Queries 🚀 ( #3637 )
2024-05-03 09:33:06 -05:00
2668f5f762
[Bug] Fix missing indexes on navigator build ( #3636 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-05-01 15:50:54 -06:00
54ff270c62
[New Rule] AWS S3 Bucket Enumeration or Brute Force ( #3635 )
...
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-01 15:00:33 -06:00
ca78f550fd
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3630 )
2024-04-30 18:06:01 +05:30
e29994c338
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-04-30 13:41:13 +02:00
115c3a6dfd
[Rule Tuning] Linux DRs ( #3628 )
2024-04-30 13:26:09 +02:00
8f6de1c235
[New] Potential privilege escalation via CVE-2022-38028 ( #3616 )
...
* [New] Potential privilege escalation via CVE-2022-38028
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-29 15:10:27 +01:00
c567d3731a
Refresh Kibana module with API updates ( #3466 )
...
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-04-26 11:12:50 -06:00
374f21fbc4
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3615 )
2024-04-23 17:59:01 +05:30
7673ba484d
Fix minstack version for 0365 in azure integration rules ( #3612 )
2024-04-22 19:17:49 +05:30
69d42ecc71
updating performance note ( #3608 )
2024-04-18 16:36:07 -04:00
25dafb68f1
[Rule Tuning] Reverting To Previous Version ( #3607 )
2024-04-18 15:19:27 -04:00
91e69ac322
[Rule Tuning] Tuning Account Password Reset Remotely ( #3478 )
...
* tuning 'Account Password Reset Remotely'
* adjusted note
* fixing description
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated note about performance; toml lint
* bumping min-stack to resolve version lock
* reverting query to main
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-18 12:49:32 -04:00
6ae0902a38
[New Rule] Potential Windows Session Hijacking via CcmExec ( #3602 )
...
* [New Rule] Potential Windows Session Hijacking via CcmExec
* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-18 12:57:35 -03:00
5004ff115c
[Rule Tuning] Further Tight up Elastic Defend Index Patterns ( #3584 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-16 13:26:42 -03:00
74312797bf
adjust aws rule index patterns and tags ( #3595 )
2024-04-16 10:08:57 -04:00
c2d1586270
[Rule Tuning] Windows BBR Promotion ( #3577 )
...
* [Rule Tuning] Windows BBR Promotion
* Update non-ecs-schema.json
* Update persistence_netsh_helper_dll.toml
* Update persistence_werfault_reflectdebugger.toml
* Update privilege_escalation_unquoted_service_path.toml
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"
This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.
* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"
This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.
* Revert "Update discovery_security_software_wmic.toml"
This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-16 09:28:17 -03:00
114db81f07
Bump KQL Version in Init ( #3597 )
2024-04-15 11:06:16 -04:00
919a438257
Update defense_evasion_untrusted_driver_loaded.toml ( #3596 )
...
excluding `errorCode_endpoint:*` status (noisy)
2024-04-15 14:52:39 +01:00
9692e59abb
[Tuning] Connection to Commonly Abused Web Services ( #3587 )
...
excluding top noisy patterns :
- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download
2024-04-11 08:11:28 -03:00
d0dfa479bb
[Rule Tuning] Windows BBR Rule Tuning - 1 ( #3579 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 1
* Update non-ecs-schema.json
* Update rules_building_block/command_and_control_certutil_network_connection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/collection_common_compressed_archived_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_dll_hijack.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-08 10:38:41 -03:00
c5addae009
[Rule Tuning] Windows BBR Rule Tuning - 3 ( #3581 )
...
* [Rule Tuning] Windows BBR Rule Tuning - 3
* Update non-ecs-schema.json
* Update rules_building_block/execution_settingcontent_ms_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_startup_folder_lnk.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-08 09:47:48 -03:00
1bc59bdc04
[Rule Tuning] Windows BBR Rule Tuning - 2 ( #3580 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-08 09:34:26 -03:00
109e8a85a5
[Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition ( #3576 )
...
* [Rule Tuning] BBR Rule Tuning 1 - Tighten Indexes Edition
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Update rules_building_block/discovery_security_software_wmic.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Endgame tag
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-08 08:57:33 -03:00
e125a4e4cf
[Rule Tuning] WRITEDAC Access on Active Directory Object ( #3583 )
2024-04-08 08:43:25 -03:00
aa0cc42ff6
[Rule Tuning] Svchost spawning Cmd ( #3578 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-08 07:50:20 -03:00
0cb42983c1
updated to v14.0 mitre ATT&CK ( #3289 )
...
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-04-05 14:30:23 -04:00
e6f48ade01
Bump KQL lib Version ( #3575 )
2024-04-05 13:38:54 -04:00
fbb6df506e
Update default ( #3574 )
2024-04-04 20:27:14 -04:00
Samirbous