9ebffb44ff
[New Rules] Ransomware Encryption & Note Creation ( #2652 )
...
* [New Rules] Ransomware Encryption & Note Creation
* changed description
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 11:30:00 +02:00
d017156454
[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs ( #2761 )
...
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update test_all_rules.py
* Update test_all_rules.py
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-15 20:31:59 -03:00
1293365a7f
Rule to detect Potential Linux Credential Dumping via Proc Filesystem ( #2751 )
2023-05-05 22:23:15 +05:30
26258f806a
[New Rules] Persistence through MOTD ( #2608 )
...
* [New Rules] Persistence through MOTD
* fixed unit error test by adding timestamp_override
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added host.os.type == "linux"
* removed ability to bypass chmod by using e.g. 700
* Added endgame support, changed query
* Changed query
* updated risk_score
* added OSQuery to investigation guides
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guides to add in future PR
* removed investigation guide tag
* Changed rule to new terms rule for FP reduction
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-05 10:29:15 +02:00
1aea1ee9bb
[New rule] Sus File Creation in init.d for Persistence Detected ( #2653 )
...
* [New Rule] Init.d File and Service Creation
* Changed rule name
* [New Rule] Sus File Creation init.d Persistence
* Added Endgame compatibility
* added touch
* Added OSQuery to investigation guide
* added additional processes
* removed investigation guide to add in sep PR
* changed rule name
* removed investigation guide tag
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_init_d_file_creation.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-05 09:54:42 +02:00
09719dd0c5
[Rule Tuning] Potential Shell via Web Server ( #2585 )
...
* tuned web shell logic, and converted to EQL
* Removed old, created new rule to bypass "type" bug
* Revert "Removed old, created new rule to bypass "type" bug"
This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133.
* Revert "tuned web shell logic, and converted to EQL"
This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca.
* Deprecated old rule, added new
* formatting fix
* removed endgame index
* Fixed changes captured as edited, not created
* Update rules/linux/persistence_shell_activity_through_web_server.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* fix conflict
* added host.os.type==linux for unit testing
* removed wildcards in process.args
* Update rules/linux/persistence_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed conflict by changing file name and changes
* Trying to resolve the GH conflict
* attempt to fix GH conflict #2
* Update persistence_shell_activity_by_web_server.toml
* Added endgame support
* Added OSQuery to investigation guide
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guide to add in future PR
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-05-05 09:47:49 +02:00
6655932190
[Rule Tuning] Startup or Run Key Registry Modification ( #2766 )
...
* [Rule Tuning] Startup or Run Key Registry Modification
* Update persistence_run_key_and_startup_broad.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-04 09:42:12 -03:00
71d93e875e
[Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms ( #2760 )
...
* [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms
* updated new terms
2023-05-03 09:28:59 -04:00
6524acf98a
[rule tuning] modified std auth module or config ( #2737 )
2023-05-03 09:32:33 +02:00
d5350ae6e0
[New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) ( #2685 )
...
* adding initial rule
* changed new terms to host.id
* removed windows integration tag
* removed windows integration tag
* changed rule to be process started related
* rule linted
* updating description
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
* added process.name.caseless to non-ecs.json
* removed host type related to #2761
* added host.os.type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-02 23:09:17 -04:00
855ba16299
Linux Rule Tuning ( #2753 )
2023-05-02 19:12:13 +05:30
7435ac39d2
[Rule Tuning] added rule name override for cloud_defend integration rule ( #2767 )
2023-05-02 00:05:24 -04:00
cd5bc2c44b
Update file path regex for /run ( #2749 )
2023-04-26 14:02:16 +05:30
0107e0fcaa
Detect Threat indicators for VMware ESXi servers ( #2708 )
2023-04-25 20:17:16 +05:30
c60e1a61a9
Updating some rule names ( #2744 )
...
* Changing some rule names
* Updating the date
2023-04-25 09:01:06 -03:00
2eda02c10e
[Rule Tuning] Multiple Logon Failure from the same Source Address ( #2588 )
...
* Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-04-24 09:16:17 -03:00
2996c79ff4
Detect Mount Execution With Hidepid Parameter ( #2706 )
2023-04-22 08:00:30 +05:30
84acf004da
[Rule Tuning] Component Object Model Hijacking ( #2730 )
2023-04-21 18:43:02 -03:00
12d6b49a24
[Rule Tuning] Potential Credential Access via Windows Utilities ( #2727 )
...
* [Rule Tuning] Potential Credential Access via Windows Utilities
* Add system integration index
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-04-21 18:27:44 -03:00
255c53cff0
[Rule Tuning] Connection to Commonly Abused Web Services ( #2728 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-04-20 18:26:00 -03:00
b1e3215cd5
[Rule Tuning] Tune PowerShell rule FPs related to MS ATP ( #2729 )
2023-04-20 12:37:06 -03:00
2705df81e2
Tune Shell evasion Rule to incorporate GTFOArgs shell evasion ( #2687 )
2023-04-20 18:35:18 +05:30
f7aa477536
Correct Event Action to include endgame event schema ( #2610 )
2023-04-20 17:28:01 +05:30
94baa89ea8
New Rule to identify defense evasion via PRoot ( #2625 )
2023-04-20 17:14:01 +05:30
fb09208132
[Rule Tuning] Connection to Commonly Abused Web Services ( #2717 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2023-04-18 09:15:47 -03:00
f21a9e4793
updating min stack comments ( #2712 )
2023-04-12 14:30:34 -04:00
d6f277e379
[New Rule] Google Workspace New OAuth Login from Third-Party Application ( #2677 )
...
* adding new rule 'Google Workspace New OAuth Login from Custom Application'
* changed name and 'custom' to 'third-party'
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml
* updated non-ecs
2023-04-12 09:40:31 -04:00
4511ab0666
[Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace ( #2674 )
...
* tuning rule to add token sequence
* updated date
* updated non-ecs, integration schemas and manifests
* added investigation guide
* Updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updating note
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updated false positive description
* updating manifest and schemas with main to resolve conflicts
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-04-12 09:15:58 -04:00
16749e45ae
[Rule Tuning] Third-party Backup Files Deleted via Unexpected Process ( #2704 )
...
* [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process
* Update impact_backup_file_deletion.toml
2023-04-11 13:47:52 -03:00
d1aadde671
[Rule Tuning] Suspicious Antimalware Scan Interface DLL ( #2671 ) ( #2672 )
...
* --amend
* --amend
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-04-06 15:15:57 -03:00
d0ea8c6f98
[New Rule] new CWP rule to surface alerts from the cloud_defend integration ( #2679 )
...
* new CWP rule to surface alerts from the cloud_defend integration
* created new rule uuid
* updated version info. removed risk level overrides and endpoint exception list
* added event.module
* removed rule name override
* updated_date and min_stack_comments updated
* updated external alerts updated_date. added kubernetes to cwp rule tags
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-04-05 21:31:03 -03:00
1a9b0e732c
[Rule Tuning] Potential PowerShell HackTool Script by Function Names ( #2692 )
2023-04-05 16:48:33 -03:00
eafe54c2cc
[Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot ( #2691 )
2023-04-05 13:28:57 -03:00
5aaac84f3a
[Rule Tuning] Suspicious service was installed in the system ( #2693 )
...
* [Rule Tuning] Suspicious service was installed in the system
* Update persistence_service_windows_service_winlog.toml
2023-04-05 13:23:47 -03:00
0c8d0bfd3d
[New Rule] Suspicious Execution via Microsoft Office Add-Ins ( #2651 )
...
* Create
* Update initial_access_execution_via_office_addins.toml
* Update initial_access_execution_via_office_addins.toml
* Update initial_access_execution_via_office_addins.toml
* Update rules/windows/initial_access_execution_via_office_addins.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-04-05 17:02:04 +01:00
71d12bdda4
[Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests ( #2682 )
...
* add promotion to rulemeta schema class and updated promotion rules
* add promotion to rulemeta schema class and updated promotion rules
* adjusted test_integration_tag and okta rule missing dataset
* fixed flake errors
* updated manifests and schemas to include cloud defend
2023-04-03 09:42:40 -04:00
51d50b7d8a
[New Rule] Lsass Process Access - Generic ( #2613 )
...
* Create credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-04-03 14:34:30 +01:00
892757f4a4
[New Rule] Potential Pass The Hash ( #2670 )
...
* Create lateral_movement_alternate_creds_pth.toml
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-29 19:37:27 +01:00
5ed2120e3f
[Rule Tuning] Potential Credential Access via Windows Utilities ( #2659 )
...
* [Rule Tuning] Potential Credential Access via Windows Utilities
* Update credential_access_cmdline_dump_tool.toml
2023-03-29 09:32:36 -03:00
411ec36ff0
Validate markdown plugin fields ( #2602 )
2023-03-28 09:17:50 -04:00
192047f46d
[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell ( #2663 )
2023-03-27 11:50:53 -03:00
3bfe3060a2
[Rule Tuning] Uncommon Registry Persistence Change ( #2538 )
...
* [Rule Tuning] Uncommon Registry Persistence Change
* updated updated_date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-26 00:35:23 +01:00
76500f0d46
[New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User ( #2654 )
...
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'
* updated MITRE ATT&CK mappings
2023-03-24 12:21:56 -04:00
32ca0001ff
[Rule Tuning] Untrusted Driver Loaded ( #2656 )
2023-03-23 08:26:52 -03:00
0d1fca454a
New Rule: Suspicious Mining Process Creation Event ( #2531 )
...
* New Rule: Suspicious Mining Process Creation Event
* added host.os.type==linux
* trying to fix unit testing
* Revert "trying to fix unit testing"
This reverts commit ab3f371300fa400baa287b54e5f38b4855fc6512.
* unit testing fix attempt
* Revert "unit testing fix attempt"
This reverts commit 8b59343a5923a004423cf665b167611ef0129a9d.
* added endgame support
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-21 16:35:25 +01:00
7be5788945
[New Rule] Google Workspace Resource Copied from External Drive ( #2627 )
...
* added new rule 'Google Workspace Resource Copied from External Drive'
* adjusted mitre att&ck subtechnique ID
2023-03-20 14:37:58 -04:00
2c5470349c
[New Rule] External User Added to Private Organization Group ( #2577 )
...
* new rule 'External User Added to Google Workspace Group'
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added Investigation Guide tag
---------
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-20 14:32:42 -04:00
eab30d7456
[Rule Tuning] Namespace Manipulation Using Unshare ( #2599 )
...
* [Rule Tuning] Namespace Manipulation Using Unshare
* reverted updated_date change
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-20 07:36:47 -03:00
672211500c
[Rule Fix] Privileged SSH Brute Force Detected ( #2595 )
2023-03-14 15:42:58 -04:00
f52a744259
[New Rule] RC Script Creation ( #2607 )
...
* [New Rule] RC Script Creation
* fixed unit testing error
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.os.type==linux
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-14 15:03:41 -04:00
Ruben Groenewoud