29bb52d2fb
[New Rule] Netcon through XDG Autostart Entry ( #3741 )
...
* [New Rule] Netcon through XDG Autostart Entry
* Update rules/linux/persistence_xdg_autostart_netcon.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update persistence_xdg_autostart_netcon.toml
* Update persistence_xdg_autostart_netcon.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-10 10:17:09 +02:00
70496f813f
[New Rule] Executable Bit Set for rc.local/rc.common ( #3736 )
...
* [New Rule] Executable Bit Set for rc.local/rc.common
* Endgame compatibility
* Update rules/linux/persistence_rc_local_common_executable_bit_set.toml
2024-06-10 09:57:14 +02:00
d3e2f70ce2
[New Rule] Process Capability Set via setcap Utility ( #3744 )
...
* [New Rule] Process Capability Set via setcap Utility
* ++
* Update rules/linux/persistence_process_capability_set_via_setcap.toml
2024-06-06 12:44:31 +02:00
8e6114f76c
[Rule Tuning] System Binary Moved or Copied ( #3742 )
...
* [Rule Tuning] System Binary Moved or Copied
* Added reference
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
2024-06-06 12:24:48 +02:00
61ab035f41
[Rule Tuning] Potential Sudo Hijacking ( #3745 )
...
* [Rule Tuning] Potential Sudo Hijacking
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
2024-06-06 11:59:26 +02:00
342fde097f
[New Rule] SSH Key Generated via ssh-keygen ( #3731 )
...
* [New Rule] SSH Key Generated via ssh-keygen
* ++
* Update rules/linux/persistence_ssh_key_generation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-06-06 11:50:38 +02:00
5f36f3a03e
[Rule Tuning] Shell Configuration Creation or Modification ( #3732 )
...
* [Rule Tuning] Shell Configuration Creation or Modification
* Incompatible endgame field
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-05 10:28:13 +02:00
e41a57f2ad
[Rule Tuning] Message-of-the-Day (MOTD) ( #3730 )
...
* [Rule Tuning] Message-of-the-Day (MOTD)
* Update persistence_message_of_the_day_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-05 10:18:30 +02:00
bebf671881
[Rule Tuning] Systemd Service & Timer ( #3728 )
...
* [Rule Tuning] Systemd Service & Timer
* Update
* Update persistence_systemd_scheduled_timer_created.toml
* Update persistence_systemd_service_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-05 10:01:15 +02:00
81ee6380ec
[New Rule & Tuning] (Ana)Cron & At Job Creation ( #3726 )
...
* [New Rule & Tuning] (Ana)Cron & At Job Creation
* Update persistence_at_job_creation.toml
* Update persistence_cron_job_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_at_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-05 09:53:42 +02:00
e357a2c050
Refresh MITRE Attack v15.1.0 ( #3725 )
2024-06-04 20:14:58 +05:30
390629da4e
[New Rule & Tunings] Linux Springtail Backdoor ( #3692 )
...
* [New Rules and Tuning] Springtail backdoor
* consistency formatting
* update
* unit testing formatting change
* Update persistence_systemd_service_started.toml
* Update persistence_systemd_service_started.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
2024-05-24 10:10:11 +02:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
71d2c59b5c
Back-porting Version Trimming ( #3681 )
2024-05-23 00:11:50 +05:30
ce21acef9c
[Bug] Fix test_os_and_platform_in_query test and rules ( #3695 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2024-05-20 08:43:30 -07:00
e29994c338
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-04-30 13:41:13 +02:00
115c3a6dfd
[Rule Tuning] Linux DRs ( #3628 )
2024-04-30 13:26:09 +02:00
153657029b
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-03 11:27:31 +02:00
f2490007e8
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-02 05:15:04 +01:00
a6028b43b3
[Rule Tuning] Potential Reverse Shell via UDP ( #3508 )
2024-03-21 13:48:41 +01:00
4179180fcb
[New Rules] mprotect() RWX Binary Execution ( #3507 )
...
* [New Rules] mprotect() RWX Binary Execution
* Added rule names
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
2024-03-13 22:11:44 +01:00
9f8638a004
[Tuning] event.action and event.type change ( #3495 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-03-13 10:11:21 +01:00
458e67918a
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
2024-03-11 09:09:40 -03:00
9c4ba4559d
[Tuning] Linux DR Tuning - Part 12 ( #3464 )
...
* [Tuning] Linux DR Tuning - Part 12
* Update persistence_shared_object_creation.toml
* Update privilege_escalation_dac_permissions.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Min stack rule-bending test
* formatting fix
* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"
This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Revert "Min stack rule-bending test"
This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 18:09:38 +01:00
ed4a7fc15b
[Tuning] Linux DR Tuning - Part 14 ( #3467 )
...
* [Tuning] Linux DR Tuning - Part 14
* Update privilege_escalation_sudo_cve_2019_14287.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 16:45:47 +01:00
60fda8d756
[Tuning] Linux DR Tuning - Part 13 ( #3465 )
...
* [Tuning] Linux DR Tuning - Part 13
* updated date bump
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update privilege_escalation_netcon_via_sudo_binary.toml
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update rules/linux/privilege_escalation_shadow_file_read.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-03-07 16:28:06 +01:00
ef66c57030
[Tuning] Linux DR Tuning - Part 11 ( #3463 )
...
* [Tuning] Linux DR Tuning - Part 11
* Update persistence_message_of_the_day_creation.toml
* Update persistence_message_of_the_day_execution.toml
* Update rules/linux/persistence_message_of_the_day_execution.toml
* Update persistence_linux_user_added_to_privileged_group.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 12:20:31 +01:00
a76a3755d9
[Tuning] Linux DR Tuning - Part 10 ( #3462 )
...
* [Tuning] Linux DR Tuning - Part 10
* updated_date bump
* Update persistence_kworker_file_creation.toml
* Update persistence_linux_backdoor_user_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 11:45:17 +01:00
fd84573212
[Tuning] Linux DR Tuning - Part 9 ( #3461 )
...
* [Tuning] Linux DR Tuning - Part 9
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update lateral_movement_ssh_it_worm_download.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 11:33:28 +01:00
08f946b394
[Tuning] Linux DR Tuning - Part 8 ( #3460 )
...
* [Tuning] Linux DR Tuning - Part 8
* Update impact_esxi_process_kill.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 11:01:08 +01:00
c537fb9c22
[Tuning] Linux DR Tuning - Part 7 ( #3458 )
...
* [Tuning] Linux DR Tuning - Part 7
* Update execution_potential_hack_tool_executed.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 10:46:48 +01:00
f37a3bfd48
[Tuning] Linux DR Tuning - Part 6 ( #3457 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_ping_sweep_detected.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 10:09:14 +01:00
ae3f4737ab
[Tuning] Linux DR Tuning - Part 5 ( #3456 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_dynamic_linker_via_od.toml
* Update discovery_esxi_software_via_find.toml
* Update discovery_esxi_software_via_grep.toml
* Update discovery_linux_hping_activity.toml
* Update discovery_linux_nping_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 09:53:46 +01:00
83abf8d42c
[Tuning] Auditbeat event.action Compatibility ( #3471 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-06 15:28:28 +01:00
5a80423003
[BBR Promotion] Linux BBR --> DR Promotion ( #3472 )
...
* [BBR Promotion] Linux BBR --> DR Promotion
* [BBR Promotion] Linux BBR --> DR Promotion
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-06 10:49:42 -03:00
089e6671aa
[Tuning] Linux DR Tuning - Part 4 ( #3455 )
...
* [Tuning] Linux DR Tuning - Part 4
* Update defense_evasion_file_mod_writable_dir.toml
* Update defense_evasion_hidden_file_dir_tmp.toml
2024-02-20 15:38:54 +01:00
3484cac7eb
[Tuning] Event.dataset removal & Tag Addition ( #3451 )
...
* [Tuning] Removed event.dataset and added tag
* [Tuning] Removed event.dataset and added tag
* fixed typo
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-02-20 15:18:27 +01:00
5e6e4a359b
[Tuning] Linux DR Tuning - Part 3 ( #3454 )
2024-02-20 14:50:58 +01:00
1dc7fd6a42
[Tuning] Linux DR Tuning - Part 1 ( #3452 )
...
* [Tuning] Linux DR Tuning - Part 1
* Update command_and_control_linux_tunneling_and_port_forwarding.toml
* Update command_and_control_cat_network_activity.toml
2024-02-20 14:38:19 +01:00
0e48747aa6
[Tuning] Linux DR Tuning - Part 2 ( #3453 )
...
* [Tuning] Linux DR Tuning - Part 2
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
2024-02-20 14:17:17 +01:00
d41855a2ac
[New Rules] DDExec Analysis ( #3408 )
...
* [New Rules] DDExec Analysis
* Increased rule scope
* [New Rule] Dynamic Linker Discovery via od
* Revert "[New Rule] Dynamic Linker Discovery via od"
This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.
* [New Rule] Dynamic Linker Discovery via od
* [New Rule] Potential Memory Seeking Activity
* [New BBR] Suspicious Memory grep Activity
* Added endgame + auditd_manager support
* Removed auditd_manager support for now
* Removed auditd_manager support for now
* Update discovery_suspicious_memory_grep_activity.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-02-06 14:47:37 +01:00
90d64f0714
[New Rule] Executable Masquerading as Kernel Process ( #3421 )
...
* [New Rule] Executable Masquerading as Kernel Proc
* Bumped dates
* Added endgame support
* Added auditd_manager support
* Removed auditd_manager support for now
2024-02-06 10:49:36 +01:00
208b2e999c
[New Rules] APT Package Manager Persistence ( #3418 )
...
* [New Rule] apt Package Manager Persistence
* [New Rules] APT Package Manager Persistence
* [New Rules] APT Package Manager Persistence
2024-02-06 10:29:27 +01:00
4f303ab77e
[New Rule] Suspicious Network Connection via systemd ( #3420 )
...
* [New Rule] Network Connection via systemd
* Removed space from description
* Added updated query
2024-02-06 10:19:42 +01:00
381ccf43ed
[New Rule] Suspicious Passwd File Event Action ( #3396 )
...
* [New Rule] Suspicious Passwd File Event Action
* Description fix
* Pot. UT fix
* Pot. UT fix.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-01-26 09:36:56 +01:00
48d8b650e5
[New Rule] Potential Buffer Overflow Attack Detected ( #3312 )
...
* [New Rule] Potential Buffer Overflow Attack
* Added timestamp_override
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-01-22 16:28:22 +01:00
ec5f4d596c
[New Rule] Chroot Container Escape via Mount ( #3387 )
...
* [New Rule] Chroot Container Escape via Mount
* description fix
2024-01-22 09:17:53 +01:00
26747aa8a4
[Security Content] Add Investigation Guides to Linux Persistence Rules - 2 ( #3350 )
...
* [Security Content] Add IGs to Persistence - 2
* [Security Content] Add IGs to Persistence - 2
* fixes
* fix
* added ig note
2024-01-20 19:36:32 +01:00
1a2ef4b867
Linux Process Capabilities Enrichment Detection Rules ( #3366 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com
2024-01-18 22:49:43 +05:30
Ruben Groenewoud