* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Deprecating this rule due to high false positive rate. This behavior is too generic for an effective malicious behavior detection.
* move toml file to _deprecated
move toml file to _deprecated
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
* adjusted query to include event action and network direction filters
* adjusted rule name and file name
* toml linted and tags updated
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
rule tune: update by adding MITRE tactic/technique/subtechnique : Initial Access>Valid Accounts>Local Accounts. Added new tag for new tactic : Initial Access
* [Rule Tuning] Kubernetes Rules adds Mitre Execution-Deploy Container
This adds the following attacker threat and technique to each of these rules. Execute.Deploy Container
* updated_date
update the updated_date fields
* add "Windows Azure Linux Agent"'s pid file to list
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux
this tool is default installed on azure linux hosts, can resolve my problem as an exception and have but the tool is common enough in cloud environments that it deserves inclusion.
* Update execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
* [New Rule] Kubernetes Container Created with Excessive Linux Capabilites
This rule detects a container deployed with one or more dangerously permissive Linux capabilities. Using the Linux capabilities feature you can grant certain privileges to a process without granting all the privileges of the root user. Added capabilities entitle containers in a pod with additional privileges that can be used to change core processes and networking settings of a cluster. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster or the host machine. This rule detects the following capabilities and leaves space for the exception of trusted permissive containers specific to your environment:
BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.
DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.
NET_ADMIN - Perform various network-related operations.
SYS_ADMIN - Perform a range of system administration operations.
SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.
SYS_MODULE - Load and unload kernel modules.
SYS_PTRACE - Trace arbitrary processes using ptrace(2).
SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).
SYSLOG - Perform privileged syslog(2) operations.
* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml
Edited description, false positives, and elaborated with a partial investigation guide.
* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml
added exception to rule query
* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml
add Execution.Deploy Container Tactic.Technique
* addresses version comparison bug for related_integrations field during build
* Update detection_rules/misc.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update detection_rules/misc.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed package version loading bug
* addressed flake errors
* adjusted find_least_compatible_version function to address sorting and semantic version comparison
* adjusted major version comparison in compare_versions sub function
* removed compare_versions sub function and included logic in iteration
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* added OrderedDict to version and manifest iteration to enforce sorted dict object
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* added unit test for duplicate rule names
* adjusted macos file name and updated date values
* removed unit test and added assertion error in rule loader
* addressed flake errors
* addressed flake errors
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
Terrance DeJesus
