25b527c149
Setup information for Linux Rules - Set4 ( #3179 )
2023-10-17 18:59:31 +05:30
d2c2987d72
Setup information for Linux Rules - Set3 ( #3178 )
2023-10-17 18:37:20 +05:30
1801a4ee7e
Setup information for Linux Rules - Set2 ( #3177 )
2023-10-17 18:25:55 +05:30
a33a124eab
[New Rule] [BBR] Memory Dump File Rules ( #3122 )
...
* [New Rule] Memory Dump File Rules
* .
* .
* .
2023-10-17 09:35:38 -03:00
8035516e8e
[Rule Tuning] Potential Masquerading as Browser Process ( #3180 )
...
* [Rule Tuning] Potential Masquerading as Browser Process
* Update defense_evasion_masquerading_browsers.toml
* Update defense_evasion_masquerading_browsers.toml
2023-10-17 08:53:37 -03:00
e4e68c2dd8
[Rule Tuning] Potential Masquerading as System32 DLL ( #3184 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-10-17 08:29:08 -03:00
82685e36ce
[Rule Tuning] Adjust Lucene queries to use Uppercase operators ( #3196 )
2023-10-16 17:07:53 -03:00
a5a606e804
[New Rule] Adding DGA Rules from Advanced Analytic DGA Package ( #3102 )
...
* Adding DGA rules
* Adding references
* updated rule tags and queries
* Updating min stack version
* added logic to handle ml jobs
* added code comments for clarity
* removing subbed security docs folder
* added event dataset to queries for endpoint; updated note
* removed event dataset
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-10-16 15:48:54 -04:00
24b0aa5c63
[Tuning] Adjusted Rules for Anti-Evasion ( #3163 )
...
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_incoming_wmi.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-16 17:56:09 +01:00
f584fb6e31
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
2023-10-15 18:12:20 -03:00
97ff7fb26e
[New Rule] Adding Data Exfiltration Rules from Advanced Analytic DED Package ( #3126 )
...
* Adding DED rules
* adding integration manifests and schemas for DED
* Updating min stack version
* updating manifests and schemas to match main
* added setup note; updated references
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-10-14 13:23:48 -04:00
2b0735024e
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 ( #3183 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-10-13 15:10:49 -04:00
b4f8fc3290
[FR] 8.11 Release Preparation and Update Main Branch to 8.12 ( #3182 )
...
* prepping for 8.12 branch
* added ananlytic manifests and schemas
* fix linting issues
* updated analytic package manifests and schemas
2023-10-13 13:37:21 -04:00
15718ea09e
Improve exsisting setup configurations for Linux ( #3141 )
2023-10-13 13:39:03 +05:30
374c9c6257
[New Rule] New GitHub App Installed ( #3055 )
...
* new rule
* Update rules/integrations/github/execution_new_github_app_installed.toml
* Update rules/integrations/github/execution_new_github_app_installed.toml
edits from review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* change query from event.module to event.dataset
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-10-12 20:10:20 -04:00
1e514afa57
[New Rule] Migrate Lateral Movement Detection Rules ( #3175 )
...
* adding LMD rules
* added setup note; updated references
* adds 2.0.0 lmd manifest and schema
* adjusted min-stack for non-ML rules
2023-10-12 15:02:19 -04:00
3e212e2b74
[FR] Add ML Jobs to Schemas and Unit Test for Validation ( #3161 )
...
* adding machine learning job id validation
* Update rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
* Update tests/test_all_rules.py
* adding integration manifests and schemas from main
* rebuilt manifests and schemas with lmd
* fixed unit test linting
* adding manifests and schemas for other analytic packages
* updated manifests and schemas; adjusted unit test for verbosity
* sorted imports
2023-10-12 10:51:12 -04:00
3f2a709370
[Rule Tuning] PowerShell Rules Tuning ( #3169 )
2023-10-11 17:57:32 -03:00
7f8a9849c4
[New Rule] File Compressed or Archived into Common Format ( #3173 )
...
* [New Rule] File Compressed or Archived into Common Format
* new build-threat-map-entry-command
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-11 11:34:34 -07:00
9f61ce4923
[FR] Only supporting known compatible rule file types ( #3167 )
...
* Only supporting known compatible file types
* Add --ignore-invalid-files flag
* Added support to ignore invalid rule files
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/main.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* reverting main
* add punctuation
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-10-11 11:43:42 -04:00
89cfdcd440
[New Rule] Potential curl CVE-2023-38545 Exploitation ( #3168 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Added setup guide
* Update execution_curl_CVE_2023_38545.toml
* File name change
* File name change
* Update dates
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-10-11 11:42:25 -03:00
c2822e175c
[Tuning] Windows Execution Rule Tuning for UEBA ( #3107 )
...
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Mostly updated Execution tags, also new_terms conv
* removed index
* Removed index
* WMIPrvSE tuning
* Additional tuning
* Tuning & changes
* Additional tuning
* Applied unit test optimization
* Addressed feedback
* Update rules/windows/execution_command_shell_started_by_svchost.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* caseless unit testing fix
* fixed caseless executable unit test
* unit testing fix
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
* Added user ids to new terms
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/execution_unsigned_service_executable.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update execution_unsigned_service_executable.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-10-11 10:15:29 +02:00
4cdf52129a
[Tuning] Windows Discovery Rule Tuning for UEBA ( #3097 )
...
* [Tuning] Win DR Tuning for UEBA
* Need to get used to Windows formatting
* Added additional content
* Updated min stack
* Added additional tuning
* Fixed unit testing for KQL optimization
* Update rules_building_block/discovery_internet_capabilities.toml
* Additional tuning
* Kuery optimization
* Additional tuning
* Additional tuning
* Additional tuning
* Additional tuning
* Unit testing optimization fix
* optimization
* tuning
* Optimization
* Update rules/windows/discovery_privileged_localgroup_membership.toml
* Added feedback
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.id as additional new_terms field
* Reworked a lot.
* kibana.alert.rule.rule_id to non-ecs-schema.json
* Fixed index by adding a dot
* fixed typo
* Added host.os.type:windows for signals
* Added additional tag
* Added Higher-Order Rule tag
* Stripped down signal rules down to two
* revert
* Update rules/windows/discovery_admin_recon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_generic_registry_query.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update discovery_generic_registry_query.toml
* Readded exclusions
* Added trailing wildcards for KQL
* Update discovery_privileged_localgroup_membership.toml
* Update rules_building_block/discovery_signal_unusual_user_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Formatting fix
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-11 09:43:26 +02:00
a46797b987
[New Rule] Pot. Rev. Shell via Background Process ( #3114 )
2023-10-06 23:14:39 +02:00
ef8f5620e1
[New Rule] New GitHub Owner Added ( #3090 )
...
* [New Rule] New GitHub Owner Added
new rule
* name change
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-10-06 15:57:26 -04:00
9593412847
[New Rule] GitHub Owner Role Granted to User ( #3087 )
...
* [New Rule] GitHub Owner Role Granted to User
new rule
* Update persistence_organization_owner_role_granted.toml
* updated integration schema
* changed timestamp_override
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-10-06 15:44:04 -04:00
c3cc01333a
[Tuning] CVE-2023-4911 ( #3160 )
2023-10-06 13:13:17 +02:00
57c05f0444
removing lmd rules and fixing version lock history ( #3159 )
2023-10-05 12:16:53 -04:00
f4ad1f28e3
[New Rule] PE via CVE-2023-4911 (Looney Tunables) ( #3158 )
...
* [New Rule] PE via CVE-2023-4911 (Looney Tunables)
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
2023-10-05 16:41:11 +02:00
b8ae2218f8
[Rule Tuning] Add filebeat Compatibility to Network Rules ( #2925 )
...
* add beats compatability to NPC rules
* added filebeat compatibility to 'Accepted Default Telnet Port Connection'
* added filebeat compatibility to 'Cobalt Strike Command and Control Beacon'
* added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate'
* added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet'
* added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior'
* added filebeat compatibility to 'Halfbaked Command and Control Beacon'
* added filebeat compatibility to 'IPSEC NAT Traversal Port Activity'
* added filebeat compatibility to 'SMTP on Port 26/TCP'
* added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet'
* added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet'
* added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet'
* added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet'
* added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet'
* added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet'
* removed extra space in query
* added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node'
* added filebeat compatibility to 'Abnormally Large DNS Response'
* fixed missing ending parenthesis
* added auditbeat to compatible rules
* addressed feedback
* removed filebeat and auditbeat due to incompatibility
* Update rules/network/command_and_control_cobalt_strike_beacon.toml
* Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-10-03 15:05:41 -04:00
0e2ae5b9ef
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3155 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-10-03 14:34:22 -04:00
8d2b730bc5
adjusting minimum stack version for version control ( #3154 )
2023-10-03 13:36:06 -04:00
bba8cd3b57
Updated common.requires_os calls ( #3109 )
2023-10-03 10:47:58 -04:00
8f122197bb
[New BBR] Sus. Process Started via tmux or screen ( #3071 )
...
* [New BBR] Sus. Process Started via tmux or screen
* [New BBR] Unix Socket Connection
* Revert "[New BBR] Unix Socket Connection"
This reverts commit 92a0b09e8c505bceb1025124658bb4233d5d19d9.
* Update rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-30 12:57:18 +02:00
16550b7144
[Bug] Updated os.path calls to pathlib ( #3110 )
...
* Updated os.path calls to pathlib
* fixed typo
* os.join replacement typo
* additional join typo
* updated os directory functions
* exist_ok typo
* cleanup
* Updated for cleanliness
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-09-28 16:32:55 -04:00
e4b66c23dc
[Bug] Create Rule CLI Crashes on Required Arg ( #3127 )
2023-09-28 14:28:13 -05:00
4828ae07df
[FR] Added asset tag to expected tags ( #3115 )
...
* Added asset tag to expected tags
* removed *
* Add regex wildcard tag support
* Updated tag format test location
* Updated to use env variable
* fixed typo
2023-09-28 14:09:05 -04:00
8650b26002
[Rule Tuning] Update LMD Rules Min-Stack to 8.5 ( #3142 )
...
* updating min-stack to 8.5
* updated min stack comments
2023-09-27 16:17:52 -04:00
747ee7d593
[New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package ( #3119 )
...
* Adding Lateral Movement Detection rules
* added tags; adjusted tests; updated manifests and schemas
* added default value to build_integrations_schema
* combined analytic and non-dataset packages for related integrations
* adjusted machine learning definitions
* adjusted machine learning definitions
* removed splat for machine learning list due to 3.8 constraints
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-09-27 14:53:38 -04:00
f77bec8552
[New Rule] [BBR] File with Suspicious Extension Downloaded ( #3139 )
...
* [New Rule] [BBR] File with Suspicious Extension Downloaded
* Update defense_evasion_download_susp_extension.toml
2023-09-27 12:37:11 -03:00
6f7e419f1e
[New RTA] Privesc via OverlayFS ( #3003 )
...
* [New RTA] Privesc via OverlayFS
* Update rta/overlayfs_privesc.py
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-09-27 10:45:19 +02:00
172aa04359
Merge branch 'main' of github.com:elastic/detection-rules
2023-09-22 13:00:03 -05:00
f6b6bee5c2
update transform test to fail on missing transform ( #3085 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-09-21 13:22:39 -06:00
de2b97a492
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3108 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-09-18 11:14:42 -04:00
b291317ea6
[New Rule] Network Activity Detected via cat ( #3069 )
...
* [New Rule] Network Activity via cat
* Update command_and_control_cat_network_activity.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-09-18 09:51:20 +02:00
9146e0965d
[New Rule] Github Repository Deleted ( #3056 )
...
* new rule
* Update rules/integrations/github/impact_github_repository_deleted.toml
* Update rules/integrations/github/impact_github_repository_deleted.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-09-14 18:00:25 -04:00
904e37b732
[New Rule] GitHub Protected Branch Settings Changed ( #3054 )
...
* new rule file
* testing query change
* query changed back
* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* updated integration manifests with github schema
* Update defense_evasion_github_protected_branch_settings_changed.toml
added event.dataset to query
* added timestamp_override
* changed timestamp_override to @timestamp
* changed timestamp_override
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-14 17:16:51 -04:00
ccfc931fbd
Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity ( #3091 )
...
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity
When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html
Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.
* simplified detection logic by utilising process.parent.args
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-13 13:51:07 -03:00
4034436f06
[Security Content] Add missing osquery transforms ( #3088 )
...
* [Security Content] Add missing osquery transforms
* Revertable unit test
* .
* Revert "Revertable unit test"
This reverts commit 8c909fc2712b16e062890a63f31a6c080b81244a.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-09-13 08:07:01 -03:00
ddb1f75352
[New Rule] New BBR Rules - Part 2 ( #3029 )
...
* [New Rule] New BBR Rules - Part 2
* Update discovery_generic_account_groups.toml
* Update discovery_generic_account_groups.toml
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/execution_downloaded_shortcut_files.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/defense_evasion_unusual_process_extension.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update defense_evasion_unusual_process_extension.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-12 21:49:22 -03:00
shashank-elastic