d1491c3ce1
[Rule Tuning] Threat Intel URL Indicator Match ( #2902 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-07-18 20:21:15 -03:00
f1ba092864
[Deprecation] Threat Intel Indicator Match - General Rules ( #2901 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-18 20:12:53 -03:00
7949b8a03e
[New Rule] Building Block Rules - Part 1 ( #2912 )
...
* [New Rule] Building Block Rules - Part 1
* Update defense_evasion_powershell_clear_logs_script.toml
* Update discovery_posh_generic.toml
* .
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-18 20:01:43 -03:00
23a133121d
[Rule Tuning] Add HackTool Keywords to PowerShell Rules ( #2932 )
2023-07-18 08:55:59 -03:00
80e2b699b6
[New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container ( #2837 )
...
* [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container
new rule
* removed priv_esc tag
removed priv_esc tag
* adjusted tags
adjusted tags
* updated tags
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 15:03:24 -04:00
db90345fd5
[Rule Tuning] Kubernetes Anonymous Request Authorized ( #2865 )
...
* rule tuning for exclusions
* optimized query
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 13:03:05 -04:00
0b64638bf7
[New Rule] AWS Credentials Searched For Inside a Container ( #2887 )
...
* new rule toml
* Updated query
updated query based on review and added additional search queries
* updated rule query based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 12:29:02 -04:00
0f5b5a3551
[Rule Tuning] Add Okta Investigation Guides Part 1 ( #2899 )
...
* adding investigation guides for Okta rules
* Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added MFA to investigation guide for brute forcing
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 11:47:02 -04:00
fca8bcc071
[Rule Tuning] PowerShell Rule Tunings ( #2907 )
...
* [Rule Tuning] PowerShell Rule Tunings
* bump
2023-07-14 15:41:36 -03:00
9f29129585
[FR] Add EQL Rule Type Configuration Fields ( #2918 )
...
* adding initial EQL fields to EQLRuleData
* added validation
* adjusted validation
* fixed flake errors
* adjusted type linting; variable names
* added a min_compat to EQL Rule fields
* Update detection_rules/rule_validators.py
* Update detection_rules/rule_validators.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-07-13 11:20:14 -04:00
9414095d96
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 ( #2921 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9
* adding newline to start CI
* removing newline
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-07-11 19:57:02 -04:00
3ed8c56942
DR Linux Rule Tuning 8.9 ( #2859 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-07-10 20:02:42 +05:30
1283a21fb7
[New Rules] Potential portscan detected ( #2817 )
...
* [New Rules] Potential portscan detected
* Updated descriptions
* Update rules/network/discovery_potential_syn_port_scan_detected.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/network/discovery_potential_network_sweep_detected.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/network/discovery_potential_port_scan_detected.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updating integration manifests and schemas
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-07-09 09:49:32 +02:00
90bc760c56
Update README.md to fix etc path ( #2913 )
2023-07-06 15:00:45 -04:00
e5d6d6e4a7
[New Rule] sus cmds executed by unknown executable ( #2858 )
...
* [New Rule] sus cmds executed by unknown executable
* added an event.action filter
* Added endgame support, fixed stack version comment
* Update execution_suspicious_executable_running_system_commands.toml
* Update rules/linux/execution_suspicious_executable_running_system_commands.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_suspicious_executable_running_system_commands.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-06 17:32:56 +02:00
4e0b7427b7
[New Rules] ftp/rdp bruteforce ( #2910 )
...
* [New Rules] ftp/rdp bruteforce
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update non-ecs-schema.json
* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-06 17:16:01 +02:00
d5dee5a6c8
[New Rules] sysctl and modprobe enumeration ( #2844 )
...
* [New Rules] sysctl and modprobe enumeration
* Update discovery_linux_modprobe_enumeration.toml
* Update discovery_linux_sysctl_enumeration.toml
* reverted manifest/schema update
* updated tags
* Update discovery_linux_modprobe_enumeration.toml
2023-07-06 16:46:54 +02:00
cd7a52f1b1
[Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release ( #2895 )
...
* forking rules with version collisions
* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
2023-07-06 10:39:20 -04:00
64b3fa8d1d
[New Rule] Kernel Load/Unload via Kexec Detected ( #2846 )
...
* [New Rule] Kernel Load/Unload via Kexec
* Added additional references
* changed rule name
* changed the query to be more precise
* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* changed description based on feedback
* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-07-06 16:03:27 +02:00
646c316b66
[New Rules] Linux Reverse Shells ( #2905 )
...
* [New Rules] Linux Reverse Shells
* [New Rules] Linux Reverse Shells
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Delete UDP rule to add in separate PR
* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Deleted one rule and tuned the others
* Improved the rules' performance
* Added the reverse_tcp rule back after tuning
* Update execution_shell_via_lolbin_interpreter_linux.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-07-06 15:27:57 +02:00
9e5f69dc5b
[FR] Add additional verification to BBR unit tests ( #2909 )
...
* Fixes bug in unit tests
* fix linting
2023-07-06 09:06:36 -04:00
d8969f8df1
RTA For Linux DR and ER Rules ( #2904 )
2023-07-04 18:46:28 +05:30
78055bbeee
[New Rule] Suspicious Proc Enumeration ( #2845 )
...
* [New Rule] Suspicious Proc Enumeration
* Update rules/linux/discovery_suspicious_proc_enumeration.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/discovery_suspicious_proc_enumeration.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* fix tags
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-07-04 11:34:56 +02:00
df0a1facd1
[WMI Incoming Lateral Movement] Modify Existing Query Exception ( #2843 )
...
* Tune WMI Incoming Lateral Movement
* Tune WMI Incoming Lateral Movement
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-03 17:12:05 -04:00
f78de8c9d4
Add MS Office exceptions to query ( #2836 )
...
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-03 16:09:17 -04:00
7a1f376a34
[New Rules] Conversion of deprecated ERs over to DRs ( #2877 )
...
* [Conversion] Data Encrypted via OpenSSL
* [Conversion] sus funzip extraction/decompression
* [Conversion] LD_PRELOAD env var process injection
* fix unit testing failure
* suspecting endgame incompatibility
* fixed typo
* added LD_LIBRARY_PATH
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* Added exclusions for FPs
* Update rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_data_encrypted_via_openssl.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-07-02 10:39:44 +02:00
35ea2727dc
[Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades ( #2850 )
2023-06-30 18:01:35 -04:00
7aa8a7b5fb
[Rules Tuning] diverse tuning ( #2506 )
...
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_remote_services.toml
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_rdp_enabled_registry.toml
* Update persistence_scheduled_task_updated.toml
* Update persistence_scheduled_task_updated.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update rules/windows/persistence_scheduled_task_updated.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 18:57:00 +01:00
ff2c951136
[New Rule] Potential Masquerading as Communication Apps ( #2780 )
...
* [New Rule] Potential Masquerading as Communication Apps
* ocd
* Update defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_communication_apps.toml
* Update rules/windows/defense_evasion_masquerading_communication_apps.toml
* Update rules/windows/defense_evasion_masquerading_communication_apps.toml
* Apply suggestions from code review
* Merge branch 'main' into comms_masquerade
* Move to BBR folder
* Revert "Merge branch 'main' into comms_masquerade"
This reverts commit 726c63c0cab782a83d9f505e54e55d4edd1f5589.
2023-06-30 11:46:54 -03:00
d5dddae0ef
[Rule Tuning] Suspicious PowerShell Engine ImageLoad ( #2721 )
...
* [Rule Tuning] Suspicious PowerShell Engine ImageLoad
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-06-30 10:56:13 -03:00
2a4749d3d0
[New Rule] New Term Rule for USB Devices ( #2644 )
...
* Create
* Update initial_access_first_time_seen_usb_name.toml
* Update rules/windows/initial_access_first_time_seen_usb_name.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/initial_access_first_time_seen_usb_name.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update initial_access_first_time_seen_usb_name.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-30 10:41:38 -03:00
cf4bbfbcef
[New ER RTA] Potential Linux Rev Shell via Java ( #2897 )
...
* [New ER RTA] Potential Linux Rev Shell via Java
* Added execute permissions to the RTA
* Added 10 millisecond sleep to fix sequencing issue
* Update exec_java_revshell_linux.py
* Added source code
2023-06-30 14:21:06 +02:00
9794f8f0af
[New Rule] Postgresql Code Execution ( #2863 )
...
* [New Rule] Postgresql Code Execution
* Update rules/linux/execution_remote_code_execution_via_postgresql.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_remote_code_execution_via_postgresql.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 13:17:24 +02:00
2ff4584456
load unsupported rule type from schema ( #2893 )
2023-06-29 15:32:32 -04:00
c90ab9de82
load unsupported rule type from schema
2023-06-29 14:22:25 -04:00
d9bc209c76
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 ( #2892 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-29 12:25:51 -04:00
35d373b2bd
[FR] 8.9 Release Preparation and Update Main Branch to 8.10 ( #2891 )
...
* adding new branch and refreshed schema
* fixed flake errors
2023-06-29 11:39:11 -04:00
cec41b4072
[FR Build a limited compatible rule ndjson for older stacks ( #2885 )
2023-06-29 10:18:24 -04:00
73970eb2f2
[FR] Add Support for Multi-Fields and Validation in Rules ( #2882 )
2023-06-28 20:35:33 -04:00
a7e605a0e5
[Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 ( #2889 )
...
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823
* Add exception to unit test
* fixed linting
* proper linting fix
* updated to add to definitions.py
* fix linting
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2023-06-28 15:55:43 -03:00
493c638252
[Bug] Add pywin32 to windows install ( #2886 )
2023-06-28 10:47:29 -04:00
8703c65f87
[Tuning] Azure Network Packet Capture Detected ( #2888 )
2023-06-28 16:32:56 +02:00
90c79a8283
[Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules ( #2777 )
...
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules
* .
* Update threat_intel_indicator_match_hash.toml
* Update to include expiring rules, exclude expiring indexes
* .
* Apply suggestions from code review
* Push changes
* Update pyproject.toml
* Revert "Update pyproject.toml"
This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.
* Update pyproject.toml
* Update integration-schemas.json.gz
* Revert "Update integration-schemas.json.gz"
This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.
* Revert integrations-manifests to the one from main
* Fix maturity
* Update Name
* Update ignore_ids with the indicator rules guid
* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml
* Make changes to use labels
* Update non-ecs-schema.json
* Update rules/cross-platform/threat_intel_fleet_integrations.toml
* Apply suggestions from code review
* Backport to 8.5
* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators
* Update threat_intel_indicator_match_hash.toml
* Update threat_intel_indicator_match_url.toml
* Update threat_intel_indicator_match_url.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-28 10:22:24 -03:00
c94c79ba77
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 ( #2883 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-27 12:00:19 -04:00
5da2771c12
[New Rule] [BBR] Expired or Revoked Driver Loaded ( #2880 )
...
* [New Rule] Expired or Revoked Driver Loaded
* Update privilege_escalation_expired_driver_loaded.toml
* Update rules_building_block/privilege_escalation_expired_driver_loaded.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-27 09:18:35 -03:00
48cf95c8eb
[Rule Tuning] Change Network Rules to Use Network Packet Capture Integration ( #2665 )
...
* updated indexes and updated dates
* added network_traffic integration tag to rules
* reverting changes to resolve conflicts
* metadata changes; indexes changed; schemas and manifest updated
* updated default telnet port connection rule
* updating integration manifests
* adjusted rules; updated integrations; deduplicate packages
2023-06-26 17:35:49 -04:00
0f6ded452b
[New RTA] Endpoint Rules ( #2788 )
...
* [New RTA] Endpoint Rules
Suspicious Access to LSA Secrets Registry
Security Account Manager (SAM) Registry Access
Privilege Escalation via EXTENDED STARTUPINFO
Potential Privilege Escalation via Token Impersonation
Suspicious Impersonation as Trusted Installer
NTDLL Loaded from an Unusual Path
Sensitive File Access - Unattended Panther
Potential Discovery of Windows Credential Manager Store
Potential Discovery of DPAPI Master Keys
Potential Process Creation via ShellCode
* Update evasion_ntdll_from_unusual_path.py
* Update credaccess_reg_query_privesc_token_manip.py
* Create shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* fix import
* Update credaccess_reg_query_privesc_token_manip.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_winexec_calc.py
* DLL Side Loading via a Copied Microsoft Executable
* Update sideload_msbin_faultrep.py
* DLL SideLoad via a Microsoft Signed Binary
* Update sideload_msbin_faultrep.py
* C2 via ISO file
* ++
* persistence from ISO
* Update exec_persistence_from_iso.py
* replaced win32con with actual static values
* Update sensitive_file_access.py
* Update credaccess_reg_query_privesc_token_manip.py
* Update ExecFromISOFile.ps1
* Suspicious ImageLoad from an ISO Mounted Device
* Update execution_iso_dll_rundll32.py
* Update c2_dns_from_iso.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update impersonate_trusted_installer.py
* Library Loaded via a Callback Function
* Update evasion_loadlib_via_callback.py
* ++
* added ntds.dit access
* Security Account Manager (SAM) File Access
* Update sensitive_file_access.py
* Update sensitive_file_access.py
* Update sensitive_file_access.py
* Suspicious Execution via DotNet Remoting
* Update evasion_addinproc_certoc.py
* Update evasion_addinproc_certoc_odbc.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* ++
* Update evasion_unhook_ldrloaddll.py
* added ETW and AMSI patching
* Update evasion_oversized_dll_load.py
* Update sensitive_file_access.py
added technique ids
* Update c2_dns_from_iso.py
fixed endpoint rule.ids array
* moved getppid to common.py
* moved impersonate_system to common
* moved inject to common.py
* Update credaccess_sam_from_vss.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* Update evasion_loadlib_via_callback.py
* Update evasion_oversized_dll_load.py
* Update evasion_patch_etw_amsi.py
* Update execution_iso_dll_sideload.py
* Update evasion_unhook_ldrloaddll.py
* Update exec_persistence_from_iso.py
* Update execution_iso_dll_rundll32.py
* Update sensitive_file_access.py
* Update shellcode_load_ws2_32_unbacked.py
* ++
* Update rta/c2_dns_from_iso.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_reg_query_privesc_token_manip.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update shellcode_winexec_calc.py
* Update shellcode_load_ws2_32_unbacked.py
* Update c2_dns_from_iso.py
* Update evasion_oversized_dll_load.py
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update evasion_oversized_dll_load.py
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update credaccess_sam_from_vss.py
* Update c2_dns_from_iso.py
* ++
* ++
* ++
* Update impersonate_trusted_installer.py
* Update evasion_patch_etw_amsi.py
* Update credaccess_reg_query_privesc_token_manip.py
* ++
* Update evasion_ntdll_from_unusual_path.py
* Update evasion_oversized_dll_load.py
* ++
* Update common.py
* Update ExecFromISOFile.ps1
* Update evasion_ntdll_from_unusual_path.py
* add cpp source files
* Update rta/common.py
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/src/LoadLib-Callback64.cpp
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/src/rta_unhook_ldrload.cpp
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/impersonate_trusted_installer.py
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 16:58:30 +01:00
aaa4ce2ea0
[BUG] test_all_rule_queries_optimized does not run on rules ( #2823 )
...
* Fixed kql -> kuery in test_all_rule_queries_opt...
* all queries optimized
* manually reconciled all rules that failed due to toml escaped chars
* merge rules from main
* Rules needing optimization
* Fix optimized note
* fix another note
* another note fix
* fixing whitespace
* Updated for readability
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 10:58:31 -04:00
d829b145ef
[Bug] Fix Tag Navigator Generation ( #2875 )
...
* bug fix for tag navigator generation
* addressing flake errors
* added unit test to ensure prefix exists
* updated unit test case sensitivity
* moved expected tags to definitions.py
* removed expected prefixes
* revert downloadable updates JSON file
2023-06-23 10:44:55 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
Jonhnathan