28c3d074b8
[New Rule] Process Started with Executable Stack ( #4340 )
...
* [New Rule] Process Started with Executable Stack
* [New Rule] Process Started with Executable Stack
* Update execution_executable_stack_execution.toml
* Update rules/linux/execution_executable_stack_execution.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-01-17 17:36:39 +01:00
ca3994af0d
[Deprecation] Deprecating Potential Password Spraying of Microsoft 365 User Accounts ( #4394 )
...
* Deprecating 'Potential Password Spraying of Microsoft 365 User Accounts'
* adding 'Deprecated - Suspicious JAVA Child Process'
* updated dates
* changed to deprecated maturity
2025-01-17 10:52:13 -05:00
ac541f0b18
[New Rules] Kernel Seeking/Unpacking Activity ( #4341 )
...
* [New Rules] Kernel Seeking/Unpacking Activity
* ++
2025-01-16 12:04:04 +01:00
bba5096efa
[New Rule] System Binary Path File Permission Modification ( #4339 )
2025-01-16 10:32:23 +01:00
75c7c09595
[New Rule] Suspicious Path Invocation from Command Line ( #4338 )
2025-01-16 10:20:37 +01:00
5162067a51
[New Rule] Adding Coverage for Unusual AWS S3 Object Encryption with SSE-C ( #4377 )
...
* new rule 'Unusual AWS S3 Object Encryption with SSE-C'
* updated pyproject patch version
* bump repo version
* Update rules/integrations/aws/impact_s3_unusual_object_encryption_with_sse_c.toml
* updating patch version
* updating patch version
* Adding additional threshold rule
2025-01-15 14:11:58 -05:00
c04ae6d444
[New Rule] Adding Coverage for SNS Topic Message Publish by Rare User ( #4350 )
...
* new rule 'SNS Topic Message Publish by Rare User'
* added new terms note
* added investigation guide tag
* fixed tag, added investigation fiedls
* toml lint
* fixed mitre ATT&CK mapping
2025-01-15 13:55:45 -05:00
97b3f43870
[New Rule] Adding Coverage for AWS EC2 Deprecated AMI Discovery ( #4328 )
...
* new rule 'AWS EC2 Deprecated AMI Discovery'
* updated type
* updated non-ecs; bumped package version
* updated query
* added missing index
* updated patch version
2025-01-15 11:53:18 -05:00
f8312cc5b0
[Rule Tuning] Adjusting Verbiage for AWS EC2 Instance Connect SSH Public Key Uploaded ( #4334 )
...
* tuning rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* updating subtechnique ID
* added mitre tag lateral movement
* changing sequence of mitre ATT&CK
2025-01-15 11:12:53 -05:00
f97007f3a8
[New Rule] Adding Coverage for AWS SQS Queue Purge ( #4354 )
...
* new rule 'AWS SQS Queue Purge'
* Update rules/integrations/aws/defense_evastion_sqs_purge_queue.toml
* added investigation guide tag; fixed file name
2025-01-15 10:52:22 -05:00
447fce3b08
[Rule Tuning] Suspicious Communication App Child Process ( #4369 )
2025-01-15 12:13:10 -03:00
bcca0a2016
[New] Sensitive Audit Policy Sub-Category Disabled ( #4373 )
...
* [New] Sensitive Audit Policy Sub-Category Disabled
https://elasticstack.slack.com/archives/C016E72DWDS/p1736784727633579
* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_audit_policy_disabled_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-14 12:13:45 -03:00
79b26085f5
[New Rule] Potential Process Name Stomping with Prctl ( #4352 )
...
* [New Rule] Potential Process Name Stomping with Prctl
* Update defense_evasion_prctl_process_name_tampering.toml
2025-01-13 16:35:40 +01:00
f52cfb3729
[Rule: Tuning] - Azure blob permission modification tagging - Correct tags ( #4371 )
...
* Remove `Data Source: Elastic Defend` tag
* Update metadata
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-13 10:40:34 -03:00
65b95a1996
Update discovery_potential_syn_port_scan_detected.toml ( #4366 )
2025-01-10 15:29:29 +00:00
6b0b988d79
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10 ( #4357 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 10
* Remaining ones
2025-01-09 11:54:46 -03:00
7eeca006bc
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 8 ( #4355 )
2025-01-09 11:38:26 -03:00
e66bca73e0
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7 ( #4349 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 7
* Update rules/linux/discovery_process_capabilities.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-09 11:28:21 -03:00
cc889e3bf2
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4 ( #4345 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 4
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-09 10:59:32 -03:00
0fc83fe815
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3 ( #4343 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 3
* .
* Update rules/linux/command_and_control_ip_forwarding_activity.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-09 10:35:58 -03:00
d6ceb88558
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 6 ( #4348 )
2025-01-09 10:17:57 -03:00
f4a022c5d2
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 5 ( #4346 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - X
* Update rules/linux/defense_evasion_directory_creation_in_bin.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/linux/defense_evasion_mount_execution.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-01-09 09:44:40 -03:00
2af2e1f57b
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 9 ( #4356 )
2025-01-09 08:29:51 -03:00
4142868956
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 2 ( #4333 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-01-08 15:23:19 -03:00
282f613ddf
[Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1 ( #4330 )
...
* [Rule Tuning] Linux 3rd Party EDR Support - Crowdstrike and S1 - 1
* min_stack
* Update defense_evasion_doas_configuration_creation_or_rename.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-01-08 14:40:43 -03:00
d16f56b4e2
[New Rule] SSH via Backdoored System User ( #4336 )
...
* [New Rule] SSH via Backdoored System User
* ++
* Update persistence_ssh_via_backdoored_system_user.toml
* Update persistence_ssh_via_backdoored_system_user.toml
* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_ssh_via_backdoored_system_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-01-07 13:20:36 +01:00
2530c4d376
[New Rule] Pluggable Authentication Module Source Download ( #4301 )
...
* [New Rule] Pluggable Authentication Module Source Download
* Update persistence_pluggable_authentication_module_source_download.toml
* Update rules/linux/persistence_pluggable_authentication_module_source_download.toml
2025-01-07 13:04:05 +01:00
419e5c1ad3
[Tuning] Suspicious WMI Event Subscription Created ( #4327 )
...
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
* Update detection_rules/etc/non-ecs-schema.json
* Update pyproject.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-06 09:40:26 -03:00
feaeabf60c
[New Rule] Dynamic Linker (ld.so) Creation ( #4306 )
2025-01-03 17:06:38 +01:00
fea5c90ed9
[New Rule] Kernel Object File Creation ( #4325 )
...
* [New Rule] Kernel Object File Creation
* ++
* Update rules/linux/persistence_kernel_object_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-01-03 16:49:59 +01:00
466097c31e
[Rule Tuning] Potential Persistence via File Modification ( #4310 )
...
* [Rule Tuning] Potential Persistence via File Modification
* Update persistence_suspicious_file_modifications.toml
* Update persistence_suspicious_file_modifications.toml
2025-01-03 16:19:58 +01:00
53ca51b20c
[New Rule] Simple HTTP Web Server Connection ( #4309 )
2025-01-03 16:06:28 +01:00
e26e4e40b4
[New Rule] Simple HTTP Web Server Creation ( #4308 )
2025-01-03 15:54:25 +01:00
0273997581
[New Rule] Loadable Kernel Module Configuration File Creation ( #4307 )
2025-01-03 15:33:31 +01:00
7e775a6c95
[New Rule] Unusual Preload Environment Variable Process Execution ( #4305 )
2025-01-03 15:23:41 +01:00
9424a57207
[Rule Tuning] Creation or Modification of Pluggable Authentication Module or Configuration ( #4304 )
2025-01-03 15:05:05 +01:00
c9c8e3501e
[New Rule] Unusual SSHD Child Process ( #4303 )
...
* [New Rule] Unusual SSHD Child Process
* Update persistence_unusual_sshd_child_process.toml
2025-01-03 14:50:43 +01:00
c7fe940206
[New Rule] Pluggable Authentication Module Creation in Unusual Directory ( #4302 )
...
* [New Rule] Pluggable Authentication Module Creation in Unusual Directory
* Update persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation_in_unusual_dir.toml
2025-01-03 14:35:08 +01:00
5384191934
[New Rule] PAM Version Discovery ( #4300 )
...
* [New Rule] PAM Version Discovery
* Update discovery_pam_version_discovery.toml
* Update discovery_pam_version_discovery.toml
* Update discovery_pam_version_discovery.toml
* Update rules/linux/discovery_pam_version_discovery.toml
2025-01-03 14:25:38 +01:00
aca416a779
[Rule Tuning] Windows misc Rule Tuning ( #4298 )
2025-01-02 07:44:01 -03:00
c99cf9279d
[Tuning] Uncommon Registry Persistence Change ( #4286 )
...
* Update persistence_registry_uncommon.toml
Add registry rules for additional SMSS persistence vectors
* Update persistence_registry_uncommon.toml
* Update persistence_registry_uncommon.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-12-25 19:06:58 -03:00
9fb2dea7aa
[New Rule] Endpoint Security Promotion Rules for Specific Events ( #3533 )
...
* new endpoint security rules for specific alerts
* updated risk scores
* fixed rule names and UUIDs
* changed logic to use message field for detection vs prevention
* reverting changes
* reverting changes
* reverting to old commit
* reverting to old commit
* reverting to old commit
* reverting to old commit
* changed naming to Elastic Defend
* updated rule dates and min-stacks
* linted; adjusted queries
* updated ransomware, memory sig or shellcode risk
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* updated promotion rule
* fixed typos in naming
* updated setup guides
* added intervals
* added MITRE
* added investigation guide for Memory Threat
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_ransomware_prevented.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_malicious_file_detected.toml
* Update rules/integrations/endpoint/elastic_endpoint_security_memory_signature_prevented.toml
* ++
* ++
* ++
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update defense_evasion_elastic_memory_threat_prevented.toml
* toml-lint
* Update rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* ++
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <Samir.Bousseaden@elastic.co >
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-12-19 13:24:23 -05:00
dad008ea34
[Rule Tuning] Lookback Times for Okta Multiple Session and AWS KMS Retrieval Rules ( #4324 )
...
* rule tuning Okta and AWS lookback times
* adjusted Query Registry using Built-in Tools
* adjusted My First Rule
* Update rules/cross-platform/guided_onboarding_sample_rule.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-12-19 13:03:50 -05:00
0a740074c9
new rule 'Azure Entra MFA TOTP Brute Force Attempts' ( #4297 )
2024-12-12 11:00:02 -05:00
f0291b440a
Minstack endpoint rules with process.group.id fields ( #4294 )
2024-12-10 21:03:32 +05:30
e6012b1db6
Removing ESQL query format error ( #4292 )
2024-12-10 09:27:37 -05:00
052672b09f
[Rule Tuning] Update Okta and Github Min-Stack Versions for Release ( #4290 )
2024-12-09 20:58:33 +05:30
e7b88ae3fc
[New Rule] Adding Coverage for Self-Created Login Profile for Root Accounts in AWS ( #4277 )
...
* new rule 'AWS IAM Login Profile Added for Root'
* added min-stack
* linted; fixed rule schema errors
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-12-09 08:55:20 -05:00
2c848c5111
Prep for Release 8.18 ( #4288 )
2024-12-09 18:25:13 +05:30
511c108ba1
[Tuning] SDH - Possible Consent Grant Attack via Azure-Registered Application ( #4283 )
...
* [Tuning] Possible Consent Grant Attack via Azure-Registered Application
SDH related rule tuning for o365.audit dataset
* removing renamed field from query
2024-12-06 17:27:38 -05:00
Ruben Groenewoud