2ed97d2e8c
[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion ( #1833 )
...
* Adding event.provider
* Removing new line
* Updating updated_date field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-03-22 20:36:53 -03:00
22367d3702
crash shell evasion threat ( #1861 )
2022-03-22 18:46:05 +05:30
2ab5a1f44a
[New Rule] cpulimit shell evasion threat ( #1851 )
...
* cpulimit shell evasion threat
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-21 12:16:53 -05:00
096723b2a1
[Rule Tuning] Symbolic Link to Shadow Copy Created ( #1830 )
...
* fixed duplicated file name
* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied
* moved rule back to production, added investigation notes and sequencing to EQL query
* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes
* updating with minor changes
* adjusted related rules
* adjusted investigation notes
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* TOML linted and adjusted updated date
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-18 11:08:29 -04:00
7feebc2c10
Updation of Mitre Tactic and Threats ( #1850 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-18 15:06:24 +05:30
22dd7f0ada
Deprecate PrintNightmare Rules ( #1852 )
2022-03-17 19:39:36 -03:00
a6edb7cfcf
Update defense_evasion_posh_process_injection.toml ( #1838 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-17 19:37:42 -03:00
b492258fb0
[New Rule] busybox shell evasion threat ( #1842 )
...
* busybox shell evasion threat
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-17 09:54:46 +05:30
f7735df1d5
[New Rule] c89/c99 shell evasion threat ( #1840 )
...
* c88/c99 shell evasion threat
2022-03-16 23:06:34 +05:30
e0f8f61ca0
Update persistence_user_account_added_to_privileged_group_ad.toml ( #1845 )
2022-03-16 13:06:04 -03:00
b5f06f455c
Update defense_evasion_microsoft_defender_tampering.toml ( #1837 )
2022-03-14 20:07:39 -03:00
53fbc50ea1
[New Rule] AdminSDHolder SDProp Exclusion Added ( #1795 )
...
* AdminSDHolder SDProp Exclusion Added Initial Rule
* Update persistence_sdprop_exclusion_dsheuristics.toml
* Update rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-10 14:17:01 -03:00
c05f3c8aa3
gcc shell evasion threat ( #1824 )
2022-03-10 22:41:31 +05:30
b49cce9fcb
ssh shell evasion threat ( #1827 )
2022-03-10 22:39:05 +05:30
ddbc1de45c
mysql shell evasion threat ( #1823 )
2022-03-10 22:36:35 +05:30
334aa12aaf
expect shell evasion threat ( #1817 )
...
* expect shell evasion threat
* expect shell evasion threat
* Update rules/linux/defense_evasion_expect_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 14:22:56 -06:00
2b6a357a4b
nice shell evasion threat ( #1820 )
...
* nice shell evasion threat
* Update rules/linux/defense_evasion_nice_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 13:59:16 -06:00
f9503f2096
[Rule Tuning] Rule description updates ( #1811 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 19:33:11 +05:30
2a82f18e43
[New Rule] Linux Restricted Shell Breakout via the Vi command ( #1809 )
...
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-04 13:46:19 -06:00
a6582351b5
[New Rule] Potential Remote Credential Access via Registry ( #1804 )
...
* [New Rule] Potential Remote Credential Access via Registry
4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).
Example of data :
* Delete workspace.xml
* Update credential_access_remote_sam_secretsdump.toml
* Update credential_access_remote_sam_secretsdump.toml
* add non ecs field
* Update non-ecs-schema.json
* Update credential_access_remote_sam_secretsdump.toml
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-03 16:28:03 +01:00
202b9c7479
[New Rule] Execution control.exe via WorkFolders.exe ( #1806 )
...
* added detection rule defense_evasion_workfolders_control_execution.toml related to issue #1586
* updated rule authors
* added references to the rule
* added timestamp override variable to the rule
* adjusted value of timestamp override from event_ingested to event.ingested
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* linted toml file as suggested
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-03 09:21:40 -05:00
5c477849fe
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches ( #1807 )
...
* Update script_block queries
* Update execution_posh_psreflect.toml
2022-03-03 07:37:25 -03:00
283cbca702
find shell evasion threat( #1801 )
...
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-02 22:00:29 +05:30
c9dd047966
apt binary shell evasion threat ( #1792 )
...
* new:rule:issue-1782 Adding a new Rule for apt binary shell evasion threat
* new:rule:issue-1782 Review Comments
* Update rules/linux/apt_binary_shell_evasion.toml
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* new:rule:issue-1782 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-02 21:57:40 +05:30
e004a2f4a5
awk binary shell evasion threat ( #1794 )
...
* new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat
* Update rules/linux/awk_binary_shell_evasion.toml
* Update rules/linux/awk_binary_shell_evasion.toml
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* new:rule:issue-1785 Review Comments
* new:rule:issue-1785 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-02 21:53:49 +05:30
758784d4d5
env binary shell evasion threat ( #1793 )
...
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* Update rules/linux/env_binary_shell_evasion.toml
* Update rules/linux/env_binary_shell_evasion.toml
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
* Update rules/linux/privilege_escalation_env_binary.toml
* new:rule:issue-1786 Review Comments
* Update rules/linux/defense_evasion_env_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-02 21:47:01 +05:30
f48144c6b3
[New Rule] Registry Hive File Creation via SMB ( #1779 )
...
* [New Rule] Registry Hive File Creation via SMB
Identifies the creation or modification of a medium size registry hive file via the SMB protocol :
* Update credential_access_moving_registry_hive_via_smb.toml
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-02 10:12:17 +01:00
8a9b52f7e1
Update impact_azure_service_principal_credentials_added.toml ( #1802 )
2022-03-02 05:36:21 -03:00
1c50f35aed
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-01 21:39:30 -03:00
aa7d79cc53
[New Rule] LSASS Memory Dump ( #1784 )
...
* Add new event_data fields (ObjectName, ProcessName)
* Add detection for LSASS Memory Dump Handle Access
* Reference an example of 120089 AccessMask presence
* modify query to increase performance and update the description to remove ("This rule").
* expand path to Elastic Agent ensure syntax consistency
* Optimize rule based on AccessMaskDescription and additional False Positives.
* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used
* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription
* cleanup
2022-02-24 08:14:01 -05:00
8664ef59f4
Update persistence_azure_conditional_access_policy_modified.toml ( #1788 )
2022-02-22 15:26:28 -03:00
dec4243db0
[Rule Tuning] Update rules based on docs review ( #1778 )
...
* Update rules based on docs review
* trivial change to trigger CLA
* undo changes from triggering build
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-16 07:42:06 -09:00
3227d65cd8
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id ( #1773 )
...
* Remove Windows Integration & Winlogbeat Support
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-15 23:04:55 -03:00
03f60cc11c
[Rule Tuning] Potential Command and Control via Internet Explorer ( #1771 )
...
* Use user.name on the sequence instead of user.id
* Update command_and_control_iexplore_via_com.toml
* Remove min_stack and comment "with runs"
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-15 22:58:01 -03:00
42436d3364
[New Rule] Potential Credential Access via DCSync ( #1763 )
...
* "Potential Credential Access via DCSync" Initial Rule
* replace unintentional bracket removal
* json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-15 21:40:26 -03:00
fd678dc5cb
Modified to use Integrity fields instead of user.id ( #1772 )
2022-02-15 15:22:49 -09:00
9bbe26fec0
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes ( #1775 )
...
* Initial Review of Sysmon Registry Rules
* Update defense_evasion_sip_provider_mod.toml
2022-02-15 09:56:37 -03:00
c646a18efb
Update discovery_net_command_system_account.toml ( #1769 )
2022-02-14 12:11:12 -03:00
326aa64ff6
[New Rule] Windows Service Installed via an Unusual Client ( #1759 )
...
* [New Rule] Windows Service Installed via an Unusual Client
https://www.x86matthew.com/view_post?id=create_svc_rpc
* Update non-ecs-schema.json
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add ```s
* Update privilege_escalation_windows_service_via_unusual_client.toml
* add missing comma to schema
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-11 21:56:59 +01:00
9c56b00429
Modification of AmsiEnable Registry Key - Sysmon support ( #1760 )
2022-02-11 17:49:38 -03:00
aa9fedd18d
Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml ( #1757 )
2022-02-11 08:15:49 -09:00
b1121da237
[Rule Tuning] Fix IM query ( #1767 )
...
* Fix IM quer
* Add update date
2022-02-10 09:30:13 -09:00
5a16a222ad
[Documentation] Fix O365 Integration name on Rules and Unit Test ( #1684 )
...
* Adjust Integration Name
* Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
* Update integration name
* .
* Case
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-09 19:03:30 -03:00
97835bc5c5
Move misplaced rule to proper folder ( #1756 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-02-04 11:35:29 -09:00
85b72256c2
[New Rule] Potential Shadow Credentials added to AD Object ( #1729 )
...
* Potential Shadow Credentials added to AD Object Initial Rule
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_shadow_credentials.toml
* Add AD tag
* Update credential_access_shadow_credentials.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-04 15:49:04 -03:00
7dac52f1cf
[New Rule] PowerShell Script Block Logging Disabled ( #1749 )
...
* PowerShell Script Block Logging Disabled
* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_disable_posh_scriptblocklogging.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-04 15:44:27 -03:00
40095d95bf
Update credential_access_mod_wdigest_security_provider.toml ( #1751 )
2022-02-04 15:38:12 -03:00
9ce5d0b92a
[New Rule] AdminSDHolder Backdoor ( #1745 )
...
* AdminSDHolder Backdoor
* Update rules/windows/persistence_ad_adminsdholder.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-01 10:14:39 -03:00
d949fefe0c
[New Rule] KRBTGT Delegation Backdoor ( #1743 )
...
* KRBTGT Delegation Backdoor
* Update persistence_msds_alloweddelegateto_krbtgt.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* refresh rule_id with new uuid
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-01 10:08:54 -03:00
26d5bad914
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #1741 )
...
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml
* fix year
2022-01-31 21:02:02 -03:00
Stijn Holzhauer