2ed97d2e8c
[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion ( #1833 )
...
* Adding event.provider
* Removing new line
* Updating updated_date field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-03-22 20:36:53 -03:00
22367d3702
crash shell evasion threat ( #1861 )
2022-03-22 18:46:05 +05:30
2ab5a1f44a
[New Rule] cpulimit shell evasion threat ( #1851 )
...
* cpulimit shell evasion threat
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-21 12:16:53 -05:00
096723b2a1
[Rule Tuning] Symbolic Link to Shadow Copy Created ( #1830 )
...
* fixed duplicated file name
* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied
* moved rule back to production, added investigation notes and sequencing to EQL query
* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes
* updating with minor changes
* adjusted related rules
* adjusted investigation notes
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* TOML linted and adjusted updated date
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-18 11:08:29 -04:00
84b7ce6582
update beats master branch ref to main ( #1853 )
...
* update beats master branch ref to main
* update filename of master beat schema to main
* delete old main beats schema
* rebuilt main beats archive
2022-03-18 10:06:34 -04:00
7feebc2c10
Updation of Mitre Tactic and Threats ( #1850 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-18 15:06:24 +05:30
22dd7f0ada
Deprecate PrintNightmare Rules ( #1852 )
2022-03-17 19:39:36 -03:00
a6edb7cfcf
Update defense_evasion_posh_process_injection.toml ( #1838 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-17 19:37:42 -03:00
b492258fb0
[New Rule] busybox shell evasion threat ( #1842 )
...
* busybox shell evasion threat
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-17 09:54:46 +05:30
eb2f62940d
Bump EQL to 0.9.12 ( #1849 )
...
* Bump EQL to 0.9.12
* remove duplicate jsonschema
2022-03-16 16:29:33 -08:00
f7735df1d5
[New Rule] c89/c99 shell evasion threat ( #1840 )
...
* c88/c99 shell evasion threat
2022-03-16 23:06:34 +05:30
e0f8f61ca0
Update persistence_user_account_added_to_privileged_group_ad.toml ( #1845 )
2022-03-16 13:06:04 -03:00
b5f06f455c
Update defense_evasion_microsoft_defender_tampering.toml ( #1837 )
2022-03-14 20:07:39 -03:00
53fbc50ea1
[New Rule] AdminSDHolder SDProp Exclusion Added ( #1795 )
...
* AdminSDHolder SDProp Exclusion Added Initial Rule
* Update persistence_sdprop_exclusion_dsheuristics.toml
* Update rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-10 14:17:01 -03:00
c05f3c8aa3
gcc shell evasion threat ( #1824 )
2022-03-10 22:41:31 +05:30
b49cce9fcb
ssh shell evasion threat ( #1827 )
2022-03-10 22:39:05 +05:30
ddbc1de45c
mysql shell evasion threat ( #1823 )
2022-03-10 22:36:35 +05:30
334aa12aaf
expect shell evasion threat ( #1817 )
...
* expect shell evasion threat
* expect shell evasion threat
* Update rules/linux/defense_evasion_expect_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 14:22:56 -06:00
2b6a357a4b
nice shell evasion threat ( #1820 )
...
* nice shell evasion threat
* Update rules/linux/defense_evasion_nice_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 13:59:16 -06:00
f9503f2096
[Rule Tuning] Rule description updates ( #1811 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 19:33:11 +05:30
2a82f18e43
[New Rule] Linux Restricted Shell Breakout via the Vi command ( #1809 )
...
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-04 13:46:19 -06:00
b6737aa2c3
Updating beaconing docs ( #1815 )
...
* Updating beaconind docs
* Update beaconing.md
* Update beaconing.md
2022-03-04 11:34:40 -08:00
6653acb21c
[Github Workflows] Only generate navigator files on push to main ( #1814 )
...
* [Github Workflows] Only generate navigator files on push to main
* fix workflow logic syntax
2022-03-04 09:55:11 -09:00
bb105a3c43
Replace * in navigator filenames ( #1813 )
2022-03-04 08:45:55 -09:00
254b4eb23f
Generate ATT&CK navigator layer files and links ( #1787 )
...
* Generate attack layer files and build with package
* add update-navigator-gists command
* add workflow to update navigator gists on pushes to main
* Add coverage readme
* fix keys for links
* update navigator layer names
* purge gist files prior to update; add badge
* Update how the navigator links are displayed
* moved navigator code to dedicated and refactored to dataclasses
* convert gist links to permalink versions
* alphabetize; catch 404 for gist update
2022-03-04 08:20:44 -09:00
a6582351b5
[New Rule] Potential Remote Credential Access via Registry ( #1804 )
...
* [New Rule] Potential Remote Credential Access via Registry
4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).
Example of data :
* Delete workspace.xml
* Update credential_access_remote_sam_secretsdump.toml
* Update credential_access_remote_sam_secretsdump.toml
* add non ecs field
* Update non-ecs-schema.json
* Update credential_access_remote_sam_secretsdump.toml
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-03 16:28:03 +01:00
202b9c7479
[New Rule] Execution control.exe via WorkFolders.exe ( #1806 )
...
* added detection rule defense_evasion_workfolders_control_execution.toml related to issue #1586
* updated rule authors
* added references to the rule
* added timestamp override variable to the rule
* adjusted value of timestamp override from event_ingested to event.ingested
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* linted toml file as suggested
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-03 09:21:40 -05:00
5c477849fe
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches ( #1807 )
...
* Update script_block queries
* Update execution_posh_psreflect.toml
2022-03-03 07:37:25 -03:00
283cbca702
find shell evasion threat( #1801 )
...
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-02 22:00:29 +05:30
c9dd047966
apt binary shell evasion threat ( #1792 )
...
* new:rule:issue-1782 Adding a new Rule for apt binary shell evasion threat
* new:rule:issue-1782 Review Comments
* Update rules/linux/apt_binary_shell_evasion.toml
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* new:rule:issue-1782 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-02 21:57:40 +05:30
e004a2f4a5
awk binary shell evasion threat ( #1794 )
...
* new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat
* Update rules/linux/awk_binary_shell_evasion.toml
* Update rules/linux/awk_binary_shell_evasion.toml
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* new:rule:issue-1785 Review Comments
* new:rule:issue-1785 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-02 21:53:49 +05:30
758784d4d5
env binary shell evasion threat ( #1793 )
...
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* Update rules/linux/env_binary_shell_evasion.toml
* Update rules/linux/env_binary_shell_evasion.toml
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
* Update rules/linux/privilege_escalation_env_binary.toml
* new:rule:issue-1786 Review Comments
* Update rules/linux/defense_evasion_env_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-02 21:47:01 +05:30
f48144c6b3
[New Rule] Registry Hive File Creation via SMB ( #1779 )
...
* [New Rule] Registry Hive File Creation via SMB
Identifies the creation or modification of a medium size registry hive file via the SMB protocol :
* Update credential_access_moving_registry_hive_via_smb.toml
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-02 10:12:17 +01:00
8a9b52f7e1
Update impact_azure_service_principal_credentials_added.toml ( #1802 )
2022-03-02 05:36:21 -03:00
1c50f35aed
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-01 21:39:30 -03:00
0122e1e65f
Updating Host Risk Score docs ( #1716 )
...
* Updating host risk score docs
* Small update
* Add host risk documentation for Kibana 8.1 features
* Update host-risk-score.md
* Rearranging some stuff
* Improve host risk SS
* Adding stack version info where applicable
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
Add host by risk table note
* Update host-risk-score.md
Co-authored-by: Pablo Neves Machado <pablo.nevesmachado@elastic.co >
2022-02-28 15:19:31 -08:00
a5eb02ac28
Refresh ATT&CK to v10.1 ( #1791 )
2022-02-24 16:37:23 -09:00
d373db7659
Ensure github module is installed before running PR commands ( #1777 )
...
* Ensure github module is installed before running PR commands
* move go and elastic-package assertions to top of command
* update error msg for missing pkg
* remove redundant github assertion
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-02-24 14:49:01 -09:00
aa7d79cc53
[New Rule] LSASS Memory Dump ( #1784 )
...
* Add new event_data fields (ObjectName, ProcessName)
* Add detection for LSASS Memory Dump Handle Access
* Reference an example of 120089 AccessMask presence
* modify query to increase performance and update the description to remove ("This rule").
* expand path to Elastic Agent ensure syntax consistency
* Optimize rule based on AccessMaskDescription and additional False Positives.
* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used
* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription
* cleanup
2022-02-24 08:14:01 -05:00
0aeb7399d4
[Bug] Fix toml-lint ordering of Mitre metadata #1249 ( #1774 )
...
* Order the MITRE metadata by recursively sorting the rule object before writing.
* Refactor order_rule into the rule_formatter module.
* sort test_toml.json according to rule_formatter spec
* rename var to obj since this will traverse all data in the rule
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-22 13:57:49 -05:00
8664ef59f4
Update persistence_azure_conditional_access_policy_modified.toml ( #1788 )
2022-02-22 15:26:28 -03:00
5e073af69d
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 ( #1781 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1
2022-02-16 08:25:31 -09:00
dec4243db0
[Rule Tuning] Update rules based on docs review ( #1778 )
...
* Update rules based on docs review
* trivial change to trigger CLA
* undo changes from triggering build
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-16 07:42:06 -09:00
3227d65cd8
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id ( #1773 )
...
* Remove Windows Integration & Winlogbeat Support
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-15 23:04:55 -03:00
03f60cc11c
[Rule Tuning] Potential Command and Control via Internet Explorer ( #1771 )
...
* Use user.name on the sequence instead of user.id
* Update command_and_control_iexplore_via_com.toml
* Remove min_stack and comment "with runs"
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-15 22:58:01 -03:00
42436d3364
[New Rule] Potential Credential Access via DCSync ( #1763 )
...
* "Potential Credential Access via DCSync" Initial Rule
* replace unintentional bracket removal
* json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-15 21:40:26 -03:00
fd678dc5cb
Modified to use Integrity fields instead of user.id ( #1772 )
2022-02-15 15:22:49 -09:00
9bbe26fec0
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes ( #1775 )
...
* Initial Review of Sysmon Registry Rules
* Update defense_evasion_sip_provider_mod.toml
2022-02-15 09:56:37 -03:00
c646a18efb
Update discovery_net_command_system_account.toml ( #1769 )
2022-02-14 12:11:12 -03:00
326aa64ff6
[New Rule] Windows Service Installed via an Unusual Client ( #1759 )
...
* [New Rule] Windows Service Installed via an Unusual Client
https://www.x86matthew.com/view_post?id=create_svc_rpc
* Update non-ecs-schema.json
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add ```s
* Update privilege_escalation_windows_service_via_unusual_client.toml
* add missing comma to schema
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-11 21:56:59 +01:00
Stijn Holzhauer