2bf7df1890
[New Rule] Privilege Escalation via SUID/SGID ( #3793 )
...
* [New Rule] Privilege Escalation via SUID/SGID
* unit test error fix?
* Update rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
(cherry picked from commit c3ba7b1262
2024-06-27 14:53:31 +00:00
de7e0c7e38
[New Rule] User or Group Creation/Modification ( #3804 )
...
(cherry picked from commit 0ca16a1516
2024-06-27 14:39:17 +00:00
2c798a1d18
[Rule Tuning] SUID/SGID Bit Set ( #3802 )
...
(cherry picked from commit 8d063e1a47
2024-06-27 14:31:05 +00:00
4daed66479
[New] Microsoft Management Console File from Unusual Path ( #3834 )
...
* [New] Windows Script Execution via MMC Console File
* Update execution_via_mmc_console_file_unusual_path.toml
* Update execution_via_mmc_console_file_unusual_path.toml
* Update rules/windows/execution_via_mmc_console_file_unusual_path.toml
* Update execution_via_mmc_console_file_unusual_path.toml
* Update execution_via_mmc_console_file_unusual_path.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 17a07020f3
2024-06-27 10:35:57 +00:00
0e6ec1f961
[New Rule] AD Group Modification by SYSTEM ( #3833 )
...
* [New Rule] AD Group Modification by SYSTEM
* .
* Update rules/windows/persistence_group_modification_by_system.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Tighten up indexes
* Update persistence_group_modification_by_system.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit deb08fd28d
2024-06-26 21:59:15 +00:00
8bab0df7bf
[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs ( #3825 )
...
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs
* .
* Update integration-schemas.json.gz
* Fix integration manifests
Removed changes from:
- rules/windows/collection_email_powershell_exchange_mailbox.toml
- rules/windows/command_and_control_rdp_tunnel_plink.toml
- rules/windows/command_and_control_screenconnect_childproc.toml
- rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
- rules/windows/credential_access_kirbi_file.toml
- rules/windows/defense_evasion_amsi_bypass_dllhijack.toml
- rules/windows/defense_evasion_persistence_account_tokenfilterpolicy.toml
- rules/windows/defense_evasion_suspicious_zoom_child_process.toml
- rules/windows/execution_command_shell_started_by_unusual_process.toml
- rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
- rules/windows/persistence_adobe_hijack_persistence.toml
- rules/windows/persistence_appcertdlls_registry.toml
- rules/windows/persistence_system_shells_via_services.toml
(selectively cherry picked from commit 54d5b442cf
2024-06-26 14:09:43 +00:00
a8a6562872
[New Rules] Yum Plugin Creation / Discovery ( #3820 )
...
* [New Rules] Yum Plugin Creation / Discovery
* Update discovery_yum_plugin_detection.toml
* Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml
(cherry picked from commit 6746a421c4
2024-06-25 14:17:34 +00:00
a995f27c13
Tune rule to exclude forwarded events. ( #3790 )
...
Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0726ce41bf
2024-06-25 11:25:08 +00:00
24358ceb79
[Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule ( #3800 )
...
* Fix index and filters in Rapid7 CVE rule
* change updated date
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit e9d7ddfa35
2024-06-20 19:20:05 +00:00
0ab0ea4d10
[New Rule] Potential Privilege Escalation via Service ImagePath Modification ( #3757 )
...
* [New Rule] Potential Privilege Escalation via Service ImagePath Modification
* Update privilege_escalation_reg_service_imagepath_mod.toml
* [New Rule] NTDS Dump via Wbadmin
* Revert "[New Rule] NTDS Dump via Wbadmin"
This reverts commit 09fd513b1e8b35e22c7d1a371b0aa5aa4837cdc5.
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update privilege_escalation_reg_service_imagepath_mod.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c20318d0d0
2024-06-20 13:45:08 +00:00
0e6ebd6e7a
[New Rule] NTDS Dump via Wbadmin ( #3758 )
...
* [New Rule] NTDS Dump via Wbadmin
* Update rules/windows/credential_access_wbadmin_ntds.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 236444200b
2024-06-20 12:58:34 +00:00
b8c63b0999
[New Rule] Potential WPAD Spoofing via DNS Record Creation ( #3748 )
...
(cherry picked from commit 3fd9bae611
2024-06-20 12:38:06 +00:00
b0c0fa4e35
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml ( #3734 )
...
(cherry picked from commit 6a0ac563a0
2024-06-20 12:26:17 +00:00
cbc7fb5224
Adding setup templates to the ML rules ( #3798 )
...
* Added setup instructions for ml rules
(cherry picked from commit 51b9717ac0
2024-06-19 14:08:24 +00:00
96c7509c20
Closes #2216 ( #2855 )
...
* Update privilege_escalation_sts_assumerole_usage.toml
* Update privilege_escalation_sts_assumerole_usage.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
(cherry picked from commit c1dcd21531
2024-06-13 20:56:04 +00:00
37ea64baf4
[New Rule] Rapid7 Threat Command CVEs Correlation ( #3718 )
...
* new rule 'Rapid7 Threat Command CVEs Correlation'
* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated threat index and tags
* changed 'indicator match' to 'threat match' for tags
* removed timeline
* updating integrations to match main
* re-adding rapid7 threat command integration manifest and schema
* reverting changes; removing timeline
* changed max signals to 10000
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 020ca4be24
2024-06-12 22:04:56 +00:00
c4a427178b
[New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll ( #3717 )
...
* [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll
* Update privilege_escalation_dns_serverlevelplugindll.toml
* Update privilege_escalation_dns_serverlevelplugindll.toml
* Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 4eff7c6c87
2024-06-12 18:21:54 +00:00
bc578b5464
Update FIM integration Setup sequence ( #3781 )
...
(cherry picked from commit 89d89f15d2
2024-06-12 11:14:29 +00:00
d8131f9c60
Add exceptions to C2 Beaconing Activity ( #3771 )
...
(cherry picked from commit 8baf5dc2d8
2024-06-11 13:17:09 +00:00
d26951d94e
[New Rule] Suspicious File Modification ( #3746 )
...
* [New Rule] Suspicious File Modification
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Updates
* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ec223a4a05
2024-06-11 11:06:39 +00:00
14de5313e8
[New Rules] PAM Module Creation & Unusual PAM Grantor ( #3743 )
...
* [New Rules] PAM Module Creation & Unusual PAM Grantor
* Update persistence_unusual_pam_grantor.toml
* Update persistence_pluggable_authentication_module_creation.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
* Update persistence_pluggable_authentication_module_creation.toml
* Update persistence_unusual_pam_grantor.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
(cherry picked from commit c87c4c9f5d
2024-06-11 09:54:34 +00:00
b6d29a6775
[Rule Tuning] Systemd-udevd Rule File Creation ( #3738 )
...
* [Rule Tuning] Systemd-udevd Rule File Creation
* Incompatible endgame field
* Update rules/linux/persistence_udev_rule_creation.toml
* Update rules/linux/persistence_udev_rule_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_udev_rule_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_udev_rule_creation.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 4cf0c2b9af
2024-06-11 09:43:57 +00:00
1e16e806c7
[New Rule] APT Package Manager Configuration File Creation ( #3739 )
...
* [New Rule] APT Package Manager Configuration File Creation
* Update rules/linux/persistence_apt_package_manager_file_creation.toml
* Update persistence_apt_package_manager_file_creation.toml
(cherry picked from commit 4003219aa1
2024-06-11 07:46:33 +00:00
6fadd533fe
[New Rule] Network Connection Initiated by SSH Parent Process ( #3759 )
...
* [New Rule] Network Connection Initiated by SSH Parent Process
* Update persistence_ssh_netcon.toml
* Update rules/linux/persistence_ssh_netcon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_ssh_netcon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_ssh_netcon.toml
* Update persistence_ssh_netcon.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 74f049cc7c
2024-06-10 08:33:52 +00:00
9f5c795ea5
[New Rule] Netcon through XDG Autostart Entry ( #3741 )
...
* [New Rule] Netcon through XDG Autostart Entry
* Update rules/linux/persistence_xdg_autostart_netcon.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update persistence_xdg_autostart_netcon.toml
* Update persistence_xdg_autostart_netcon.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 29bb52d2fb
2024-06-10 08:20:29 +00:00
7ba1a863b5
[New Rule] Executable Bit Set for rc.local/rc.common ( #3736 )
...
* [New Rule] Executable Bit Set for rc.local/rc.common
* Endgame compatibility
* Update rules/linux/persistence_rc_local_common_executable_bit_set.toml
(cherry picked from commit 70496f813f
2024-06-10 08:00:14 +00:00
fff49e7f09
[Rule Tuning] User Added to Privileged Group ( #3763 )
...
* [New Rule] User Added to Privileged Group
* add more groups
* Update rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update persistence_user_account_added_to_privileged_group_ad.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 087e8a6e85
2024-06-07 16:46:52 +00:00
886ce70678
[New Rule] Process Capability Set via setcap Utility ( #3744 )
...
* [New Rule] Process Capability Set via setcap Utility
* ++
* Update rules/linux/persistence_process_capability_set_via_setcap.toml
(cherry picked from commit d3e2f70ce2
2024-06-06 10:47:40 +00:00
71394edb86
[Rule Tuning] System Binary Moved or Copied ( #3742 )
...
* [Rule Tuning] System Binary Moved or Copied
* Added reference
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
(cherry picked from commit 8e6114f76c
2024-06-06 10:27:50 +00:00
fb82c0fe1b
[Rule Tuning] Potential Sudo Hijacking ( #3745 )
...
* [Rule Tuning] Potential Sudo Hijacking
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
(cherry picked from commit 61ab035f41
2024-06-06 10:02:23 +00:00
1d6361dece
[New Rule] SSH Key Generated via ssh-keygen ( #3731 )
...
* [New Rule] SSH Key Generated via ssh-keygen
* ++
* Update rules/linux/persistence_ssh_key_generation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 342fde097f
2024-06-06 09:53:51 +00:00
522719cc9e
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded ( #3634 )
...
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* changed tactic to privilege escalation
* added additional reference
* added investigation guide
* updated summary
* changed risk score to medium; adjusted tags
* fixed mitre mapping
* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9f67585332
2024-06-05 14:36:53 +00:00
124fdc93a7
[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag ( #3590 )
...
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'
* updated rule contents
* added investigation guide; changed new terms to uder.id
* adjusted time window
* adjusted rule name
* updated query, adjusted new terms value
(cherry picked from commit 05ac4e1bd3
2024-06-05 14:26:05 +00:00
9475cf942d
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created ( #3609 )
...
* new rule 'AWS IAM Roles Anywhere Role Creation'
* adjusted rule to focus on Roles Anywhere profile creation
* added rule for roles anywhere trusted anchor; updated rule file naming
* added investigation guide
* added investigation guide
* adjusted rule and file name
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit c77eb1d915
2024-06-05 14:14:27 +00:00
6ff8f3a75f
[Rule Tuning] Shell Configuration Creation or Modification ( #3732 )
...
* [Rule Tuning] Shell Configuration Creation or Modification
* Incompatible endgame field
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 5f36f3a03e
2024-06-05 08:31:16 +00:00
1b3ccdd1d5
[Rule Tuning] Message-of-the-Day (MOTD) ( #3730 )
...
* [Rule Tuning] Message-of-the-Day (MOTD)
* Update persistence_message_of_the_day_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit e41a57f2ad
2024-06-05 08:21:58 +00:00
2d55e67da7
[Rule Tuning] Systemd Service & Timer ( #3728 )
...
* [Rule Tuning] Systemd Service & Timer
* Update
* Update persistence_systemd_scheduled_timer_created.toml
* Update persistence_systemd_service_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit bebf671881
2024-06-05 08:04:19 +00:00
8eea11e6ab
[New Rule & Tuning] (Ana)Cron & At Job Creation ( #3726 )
...
* [New Rule & Tuning] (Ana)Cron & At Job Creation
* Update persistence_at_job_creation.toml
* Update persistence_cron_job_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_at_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 81ee6380ec
2024-06-05 07:56:52 +00:00
06660cb2e1
Refresh MITRE Attack v15.1.0 ( #3725 )
...
(cherry picked from commit e357a2c050
2024-06-04 14:48:18 +00:00
d7db6be0aa
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager ( #3589 )
...
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'
* updated user identity arn to user.id for cross-service password retrieval
* added investigation guides; bumped dates; adjusted threshold value
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 59b7e3bde4
2024-06-04 13:23:16 +00:00
b719927d66
[Rule Tuning] Agent Spoofing ( #3729 )
...
(cherry picked from commit 90bb8b53d8
2024-06-03 17:31:40 +00:00
6924fddf65
[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation ( #3632 )
...
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'
* updated rule UUID
* added investigation guide
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0885032b2c
2024-06-03 15:46:31 +00:00
1b586e7485
[New Rule] AWS Lambda Layer Added to Existing Function ( #3631 )
...
* new rule 'AWS Lambda Layer Added to Existing Function'
* updated query logic; added investigation note
(cherry picked from commit 70469b4cdb
2024-06-02 12:44:13 +00:00
9b487a7ea3
[New Rule] AWS S3 Bucket Policy Added to Share with External Account ( #3603 )
...
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'
* added investigation guide
* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
(cherry picked from commit 7c82e75cf4
2024-06-01 14:34:49 +00:00
032a8c9623
[New Rule] AWS GetCallerIdentity API Called for the First Time ( #3711 )
...
* [New Rule] AWS GetCallerIdentity API Called for the First Time
issue
* Apply suggestions from code review
name change, false positive additions, remove Setup, change new_terms window from 15d to 10d
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
fixed missing closing quotes
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 23ce41d8af
2024-05-31 21:58:11 +00:00
9a92326b0d
Remove unwanted backticks ( #3724 )
...
(cherry picked from commit 418a95205e
2024-05-31 16:19:24 +00:00
444ae196ac
Add exceptions to brute force threshold rule. ( #3712 )
...
High volume, machine generated failures or MFA interruptions have been added to the rule.
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 34294fbe6d
2024-05-30 08:16:09 +00:00
e1230b6b26
Update rule setup instructions for UEBA packages ( #3652 )
...
* update detection-rules instructions for UEBA packages
---------
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
(cherry picked from commit 8b28a515c1
2024-05-28 19:24:45 +00:00
a32759a51f
[New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance ( #3598 )
...
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'
* added investigation guide
* changed file name to match tactic
* changed reference
* updated tags
* updated investigation notes
* changed new terms value; adjusted rule name
(cherry picked from commit d5c57463e1
2024-05-28 15:26:33 +00:00
2691273c93
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports ( #3599 )
...
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'
* updated rule name
* changed file name; added false-positive note
* changed rule UUID
* adjusted file name
* updated tags
* added investigation guide; updated query logic
* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated query and name
* updated query optimization
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 527f785a60
2024-05-28 14:52:40 +00:00
Ruben Groenewoud