security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,877 Commits 1 Branch 0 Tags
21b559c97f2b53bf28345c337bfa187ed29f5535
Commit Graph

1358 Commits

Author SHA1 Message Date
Jonhnathan 21b559c97f [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#3432) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-02-08 06:27:16 -03:00
Ruben Groenewoud d41855a2ac [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-06 14:47:37 +01:00
Ruben Groenewoud 90d64f0714 [New Rule] Executable Masquerading as Kernel Process (#3421) 
* [New Rule] Executable Masquerading as Kernel Proc

* Bumped dates

* Added endgame support

* Added auditd_manager support

* Removed auditd_manager support for now
 2024-02-06 10:49:36 +01:00
Ruben Groenewoud 208b2e999c [New Rules] APT Package Manager Persistence (#3418) 
* [New Rule] apt Package Manager Persistence

* [New Rules] APT Package Manager Persistence

* [New Rules] APT Package Manager Persistence
 2024-02-06 10:29:27 +01:00
Ruben Groenewoud 4f303ab77e [New Rule] Suspicious Network Connection via systemd (#3420) 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query
 2024-02-06 10:19:42 +01:00
Samirbous 6906a27c3a Update lateral_movement_remote_task_creation_winlog.toml (#3419) 2024-02-05 18:36:24 +00:00
Jonhnathan 8274f9a816 [Rule Tuning] Windows BBR Tuning - 1 (#3380) 
* [Rule Tuning] Windows BBR Tuning - 1

* .

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2024-02-05 12:47:24 -03:00
Jonhnathan edd3556b63 [Rule Tuning] Startup or Run Key Registry Modification (#3367) 2024-02-05 12:28:06 -03:00
Samirbous 5a68ccfd0d [New] Potential Enumeration via Active Directory Web Service (#3416) 
* Create discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml
 2024-02-02 14:19:22 +00:00
Jonhnathan 50df6f3e9b [Rule Tuning] Potential Modification of Accessibility Binaries (#3401) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-02-01 11:26:39 -03:00
Samirbous 4c74588c00 [Tuning] Suspicious File Downloaded from Google Drive (#3411) 
* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml
 2024-01-31 16:55:01 +00:00
Samirbous d7f4d7972e [Tuning] DCSync Rules - 4662 event.action (#3410) 
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml
 2024-01-30 11:43:28 +00:00
Ruben Groenewoud 381ccf43ed [New Rule] Suspicious Passwd File Event Action (#3396) 
* [New Rule] Suspicious Passwd File Event Action

* Description fix

* Pot. UT fix

* Pot. UT fix.

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-26 09:36:56 +01:00
Jonhnathan 92804343bc [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml
 2024-01-23 16:48:31 -03:00
Jonhnathan e33389b2ef [Rule Tuning] Direct Outbound SMB Connection (#3400) 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml
 2024-01-23 15:33:49 -03:00
Jonhnathan e0bdb59deb [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux (#3398) 
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux

* Update defense_evasion_wsl_filesystem.toml
 2024-01-22 18:47:53 -03:00
Isai 442435830f [New Rules] UEBA GItHub BBRs and Rules (#3174) 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-22 12:48:31 -05:00
Ruben Groenewoud 48d8b650e5 [New Rule] Potential Buffer Overflow Attack Detected (#3312) 
* [New Rule] Potential Buffer Overflow Attack

* Added timestamp_override

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2024-01-22 16:28:22 +01:00
Ruben Groenewoud ec5f4d596c [New Rule] Chroot Container Escape via Mount (#3387) 
* [New Rule] Chroot Container Escape via Mount

* description fix
 2024-01-22 09:17:53 +01:00
Ruben Groenewoud 26747aa8a4 [Security Content] Add Investigation Guides to Linux Persistence Rules - 2 (#3350) 
* [Security Content] Add IGs to Persistence - 2

* [Security Content] Add IGs to Persistence - 2

* fixes

* fix

* added ig note
 2024-01-20 19:36:32 +01:00
shashank-elastic 1a2ef4b867 Linux Process Capabilities Enrichment Detection Rules (#3366) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com
 2024-01-18 22:49:43 +05:30
Terrance DeJesus 1c10c37468 [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2024-01-17 14:14:38 -05:00
Jonhnathan f6ba12a700 [Rule Tuning] Windows DR Tuning - 12 (#3364) 2024-01-17 13:19:12 -03:00
sbousseaden 27262a585b [Tuning] Add logs-system. index where applicable (#3390) 
* Update discovery_adfind_command_activity.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update initial_access_suspicious_ms_office_child_process.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update initial_access_suspicious_ms_exchange_process.toml

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update execution_from_unusual_path_cmdline.toml

* Update execution_enumeration_via_wmiprvse.toml

* Update execution_command_shell_started_by_svchost.toml

* Update discovery_enumerating_domain_trusts_via_nltest.toml

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

* Update defense_evasion_workfolders_control_execution.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* Update defense_evasion_disabling_windows_logs.toml

* Update credential_access_wireless_creds_dumping.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_dns_tunneling_nslookup.toml

* Update persistence_webshell_detection.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update privilege_escalation_named_pipe_impersonation.toml

* Update command_and_control_certreq_postdata.toml

* Update defense_evasion_suspicious_certutil_commands.toml

* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update persistence_system_shells_via_services.toml

* Update execution_suspicious_cmd_wmi.toml

* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update discovery_adfind_command_activity.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_unusual_dir_ads.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update discovery_admin_recon.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update lateral_movement_alternate_creds_pth.toml

* Update persistence_via_windows_management_instrumentation_event_subscription.toml

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update persistence_via_application_shimming.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update discovery_adfind_command_activity.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-01-17 13:49:59 +00:00
Jonhnathan 71cec2a0e1 [Rule Tuning] Windows DR Tuning - 13 (#3369) 2024-01-17 09:53:18 -03:00
Jonhnathan c6ab294627 [Rule Tuning] Windows DR Tuning - 10 (#3355) 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml
 2024-01-17 09:44:10 -03:00
Ruben Groenewoud 4301dacfb8 [New Rule] Network Connection via Sudo Binary (#3389) 
* [New Rule] Network Connection via Sudo Binary

* description grammar fix
 2024-01-17 09:47:58 +01:00
Ruben Groenewoud a9285445cf [New Rule] Kernel Driver Load by non-root User (#3378) 
* [New Rule] Kernel Driver Load by non-root User

* setup note change

* removed unnecessary index
 2024-01-17 09:34:25 +01:00
Jonhnathan 0469785793 [Rule Tuning] Windows DR Tuning - 14 (#3376) 
* [Rule Tuning] Windows DR Tuning - 14

* Update persistence_suspicious_com_hijack_registry.toml

* Update rules/windows/persistence_webshell_detection.toml
 2024-01-15 11:16:04 -03:00
Jonhnathan caf38fd1b1 [Rule Tuning] Windows DR Tuning - 11 (#3359) 
* [Rule Tuning] Windows DR Tuning - 10

* Update execution_posh_hacktool_functions.toml

* Update impact_backup_file_deletion.toml
 2024-01-15 10:55:50 -03:00
shashank-elastic 24d5528ab0 Linux Rule Tuning (#3379) 2024-01-11 18:07:03 +05:30
Ruben Groenewoud df86882036 [Rule Tuning] Dynamic Linker Copy (#3349) 2024-01-08 10:56:31 +01:00
Ruben Groenewoud 788e2b2823 [Rule Tuning] Linux cross-platform DRs (#3346) 2024-01-08 10:44:03 +01:00
Ruben Groenewoud 6c91c1597d [Rule Tuning] Linux DR Tuning - Part 3 (#3322) 
* [Rule Tuning] Linux DR Tuning - Part 3

* small fix

* typo

* coffee

* Update persistence_cron_job_creation.toml

* Update persistence_shared_object_creation.toml
 2024-01-08 10:16:44 +01:00
Ruben Groenewoud 36226e5428 [Rule Tuning] Linux DR Tuning - Part 2 (#3321) 
* [Rule Tuning] Linux DR Tuning - Part 2

* [Rule Tuning] Linux DR Tuning - Part 2

* fix

* Update execution_shell_suspicious_parent_child_revshell_linux.toml
 2024-01-08 10:07:38 +01:00
Ruben Groenewoud b533642272 [Rule Tuning] Linux DR Tuning - Part 1 (#3316) 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml
 2024-01-08 09:50:15 +01:00
Jonhnathan 724e34ba95 [Rule Tuning] Windows DR Tuning - 9 (#3354) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-07 09:49:33 -03:00
Isai a0f82c3f12 [Tuning] Update min_stack for container rules new ecs field (#3370) 
* Update privilege_escalation_mount_launched_inside_a_privileged_container.toml

update min_stack and comments

* Update privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

update min_stack and comments
 2024-01-05 18:42:42 -05:00
Isai 10b241dcc5 [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241) 
* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.

* added references

* Apply suggestions from code review

* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestions from code review

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-05 10:28:24 -05:00
Isai db5e1e5cf2 [New Rule] Mount Launched Inside a Privileged Container (#3245) 
* [New Rule] Mount Launched Inside a Privileged Container

This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2024-01-05 10:17:55 -05:00
Isai 8e1dad0aeb [New Rule] Potential Container Escape via Modified notify_on_release File (#3244) 
* [New Rule] Potential Container Escape via Modified notify_on_release File

This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
advantage of this feature, which could be used for further privilege escalation and container escapes to the host
machine.

* Apply suggestions from code review

* suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-04 22:14:39 -05:00
Isai 0a37df713b [New Rule] Potential Container Escape via Modified release_agent File (#3242) 
* [New Rule] Potential Container Escape via Modified release_agent File

This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-04 21:24:54 -05:00
Jonhnathan 7b1215ccf1 [Rule Tuning] Windows DR Tuning - 8 (#3353) 
* [Rule Tuning] Windows DR Tuning - 8

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/defense_evasion_via_filter_manager.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/defense_evasion_via_filter_manager.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2024-01-03 12:00:29 -03:00
Samirbous b7e21d8c29 [New] Potential Evasion via Windows Filtering Platform (#3356) 
* Create defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update rules/windows/defense_evasion_windows_filtering_platform.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_windows_filtering_platform.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2024-01-03 12:50:12 +00:00
Terrance DeJesus 7e85854e7b deprecating 'Malicious Remote File Creation' (#3342) 2023-12-20 08:49:45 -05:00
Samirbous 341499a2bc [Deprecate] Potential Process Herpaderping Attempt (#3336) 
* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* ++

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-12-19 15:59:48 -05:00
Jonhnathan 578936d37a [Security Content] Add Windows Investigation Guides (#3257) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
 2023-12-19 12:38:28 -03:00
Jonhnathan 2f468ddcba [Rule Tuning] Windows DR Tuning - 7 (#3344) 
* [Rule Tuning] Windows Rule Tuning -1

* Update command_and_control_ingress_transfer_bits.toml
 2023-12-18 14:27:55 -03:00
Ruben Groenewoud 91a757a018 [Security Content] Add Investigation Guides to Linux C2 Rules (#3247) 
* [Security Content] Add Investigation Guides to Linux C2 Rules

* Applied feedback
 2023-12-18 17:02:40 +01:00
Terrance DeJesus 203c228249 [Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule (#3345) 
* tuning 'MFA Deactivation with no Re-Activation for Okta User Account'

* adjusted query to include like function
 2023-12-18 09:14:10 -05:00