22367d3702
crash shell evasion threat ( #1861 )
2022-03-22 18:46:05 +05:30
2ab5a1f44a
[New Rule] cpulimit shell evasion threat ( #1851 )
...
* cpulimit shell evasion threat
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-21 12:16:53 -05:00
7feebc2c10
Updation of Mitre Tactic and Threats ( #1850 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-18 15:06:24 +05:30
b492258fb0
[New Rule] busybox shell evasion threat ( #1842 )
...
* busybox shell evasion threat
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-17 09:54:46 +05:30
f7735df1d5
[New Rule] c89/c99 shell evasion threat ( #1840 )
...
* c88/c99 shell evasion threat
2022-03-16 23:06:34 +05:30
c05f3c8aa3
gcc shell evasion threat ( #1824 )
2022-03-10 22:41:31 +05:30
b49cce9fcb
ssh shell evasion threat ( #1827 )
2022-03-10 22:39:05 +05:30
ddbc1de45c
mysql shell evasion threat ( #1823 )
2022-03-10 22:36:35 +05:30
334aa12aaf
expect shell evasion threat ( #1817 )
...
* expect shell evasion threat
* expect shell evasion threat
* Update rules/linux/defense_evasion_expect_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 14:22:56 -06:00
2b6a357a4b
nice shell evasion threat ( #1820 )
...
* nice shell evasion threat
* Update rules/linux/defense_evasion_nice_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 13:59:16 -06:00
f9503f2096
[Rule Tuning] Rule description updates ( #1811 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-07 19:33:11 +05:30
2a82f18e43
[New Rule] Linux Restricted Shell Breakout via the Vi command ( #1809 )
...
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-04 13:46:19 -06:00
283cbca702
find shell evasion threat( #1801 )
...
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-02 22:00:29 +05:30
c9dd047966
apt binary shell evasion threat ( #1792 )
...
* new:rule:issue-1782 Adding a new Rule for apt binary shell evasion threat
* new:rule:issue-1782 Review Comments
* Update rules/linux/apt_binary_shell_evasion.toml
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* new:rule:issue-1782 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-02 21:57:40 +05:30
e004a2f4a5
awk binary shell evasion threat ( #1794 )
...
* new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat
* Update rules/linux/awk_binary_shell_evasion.toml
* Update rules/linux/awk_binary_shell_evasion.toml
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* new:rule:issue-1785 Review Comments
* new:rule:issue-1785 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-02 21:53:49 +05:30
758784d4d5
env binary shell evasion threat ( #1793 )
...
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* Update rules/linux/env_binary_shell_evasion.toml
* Update rules/linux/env_binary_shell_evasion.toml
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
* Update rules/linux/privilege_escalation_env_binary.toml
* new:rule:issue-1786 Review Comments
* Update rules/linux/defense_evasion_env_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-02 21:47:01 +05:30
1c50f35aed
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-01 21:39:30 -03:00
b9edc5464e
[New Rule] Potential Privilege Escalation via PKEXEC ( #1727 )
...
* [New Rule] Potential Privilege Escalation via PKEXEC
Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :
* Update privilege_escalation_pkexec_envar_hijack.toml
* removed = sign
2022-01-27 10:41:40 +01:00
84d55c829d
Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )" ( #1731 )
...
This reverts commit 625d1df2bf
2022-01-26 11:41:12 -09:00
625d1df2bf
[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )
...
* Update execution_python_tty_shell.toml
* Update EQL query to sequence
* Remove auditbeat index
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-20 08:50:30 -03:00
5bdf70e72c
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
2021-10-19 20:52:53 -08:00
d31ea6253e
Refresh ATT&CK mappings to v9.0 ( #1401 )
...
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
2021-08-04 14:16:10 -08:00
9b559d0cd9
[Rule Tuning] Creation of Hidden Files and Directories ( #1357 )
...
* [Rule Tuning] Creation of Hidden Files and Directories
* Remove redundant `A` from the regex
2021-07-21 11:47:40 -06:00
12577f7380
[Rule Tuning] Update network rule address blocks ( #1227 )
...
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-15 09:22:59 -04:00
ff45539369
[Deprecation] Deprecate inherently noisy rules based on testing ( #1122 )
...
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-04-21 15:10:06 -04:00
170b87097d
[New Rule] Potential Protocol Tunneling via EarthWorm ( #1094 )
...
* [New Rule] Potential Protocol Tunneling via EarthWorm
* fixed tactic ID
* fixed rule_id
* tactic case sensitive
* tags
* Update rules/linux/command_and_control_tunneling_via_earthworm.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-15 10:17:56 +02:00
3e1169317f
[Rule Tuning] Timestomping using Touch Command ( #1006 )
...
* [Rule Tuning] Timestomping using Touch Command
* removed process_started from event.type
* update date
* Update defense_evasion_timestomp_touch.toml
* lint and resolve conflict
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-03-19 10:26:40 +01:00
0b65678d8c
[Rule tuning] Correct tags with associated threat mappings ( #1003 )
2021-03-08 14:12:29 -09:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
645a0cd67b
[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules ( #945 )
...
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
2021-02-17 19:49:58 -09:00
2e0bb6c617
remove deprecated rule again
2021-02-17 14:15:21 -09:00
a77bd6178f
Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12
...
# Conflicts:
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
2021-02-17 14:11:50 -09:00
90a9320f93
[Rule Tuning] Remove timestamp_override for endgame-* promotion rules ( #951 )
...
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
2021-02-17 13:48:57 -09:00
32e3c02c4e
remove deprecated rule
2021-02-17 12:19:36 -09:00
6ce418877f
Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12
...
# Conflicts:
# etc/version.lock.json
# rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
# rules/cross-platform/impact_hosts_file_modified.toml
# rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
# rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
# rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
# rules/linux/defense_evasion_timestomp_touch.toml
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
# rules/macos/credential_access_credentials_keychains.toml
# rules/macos/credential_access_promt_for_pwd_via_osascript.toml
# rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
# rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
# rules/promotions/external_alerts.toml
# rules/windows/collection_email_powershell_exchange_mailbox.toml
# rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
# rules/windows/collection_winrar_encryption.toml
# rules/windows/command_and_control_common_webservices.toml
# rules/windows/command_and_control_encrypted_channel_freesslcert.toml
# rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
# rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
# rules/windows/command_and_control_teamviewer_remote_file_copy.toml
# rules/windows/credential_access_cmdline_dump_tool.toml
# rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
# rules/windows/credential_access_credential_dumping_msbuild.toml
# rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
# rules/windows/credential_access_dump_registry_hives.toml
# rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
# rules/windows/credential_access_iis_connectionstrings_dumping.toml
# rules/windows/credential_access_kerberoasting_unusual_process.toml
# rules/windows/credential_access_lsass_memdump_file_created.toml
# rules/windows/credential_access_mimikatz_memssp_default_logs.toml
# rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
# rules/windows/defense_evasion_clearing_windows_event_logs.toml
# rules/windows/defense_evasion_code_injection_conhost.toml
# rules/windows/defense_evasion_cve_2020_0601.toml
# rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
# rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
# rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
# rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
# rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
# rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
# rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
# rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
# rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
# rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
# rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
# rules/windows/defense_evasion_hide_encoded_executable_registry.toml
# rules/windows/defense_evasion_iis_httplogging_disabled.toml
# rules/windows/defense_evasion_injection_msbuild.toml
# rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
# rules/windows/defense_evasion_masquerading_renamed_autoit.toml
# rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
# rules/windows/defense_evasion_masquerading_trusted_directory.toml
# rules/windows/defense_evasion_modification_of_boot_config.toml
# rules/windows/defense_evasion_port_forwarding_added_registry.toml
# rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
# rules/windows/defense_evasion_sdelete_like_filename_rename.toml
# rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
# rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
# rules/windows/defense_evasion_suspicious_zoom_child_process.toml
# rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
# rules/windows/defense_evasion_unusual_dir_ads.toml
# rules/windows/defense_evasion_unusual_system_vp_child_program.toml
# rules/windows/defense_evasion_via_filter_manager.toml
# rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
# rules/windows/discovery_adfind_command_activity.toml
# rules/windows/discovery_admin_recon.toml
# rules/windows/discovery_file_dir_discovery.toml
# rules/windows/discovery_net_command_system_account.toml
# rules/windows/discovery_net_view.toml
# rules/windows/discovery_peripheral_device.toml
# rules/windows/discovery_process_discovery_via_tasklist_command.toml
# rules/windows/discovery_query_registry_via_reg.toml
# rules/windows/discovery_remote_system_discovery_commands_windows.toml
# rules/windows/discovery_security_software_wmic.toml
# rules/windows/discovery_whoami_command_activity.toml
# rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
# rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
# rules/windows/execution_command_shell_started_by_powershell.toml
# rules/windows/execution_command_shell_started_by_svchost.toml
# rules/windows/execution_command_shell_started_by_unusual_process.toml
# rules/windows/execution_command_shell_via_rundll32.toml
# rules/windows/execution_from_unusual_directory.toml
# rules/windows/execution_from_unusual_path_cmdline.toml
# rules/windows/execution_shared_modules_local_sxs_dll.toml
# rules/windows/execution_suspicious_cmd_wmi.toml
# rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
# rules/windows/execution_suspicious_pdf_reader.toml
# rules/windows/execution_suspicious_powershell_imgload.toml
# rules/windows/execution_suspicious_psexesvc.toml
# rules/windows/execution_suspicious_short_program_name.toml
# rules/windows/execution_via_compiled_html_file.toml
# rules/windows/execution_via_hidden_shell_conhost.toml
# rules/windows/execution_via_net_com_assemblies.toml
# rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
# rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml
# rules/windows/initial_access_script_executing_powershell.toml
# rules/windows/initial_access_suspicious_ms_office_child_process.toml
# rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
# rules/windows/initial_access_unusual_dns_service_children.toml
# rules/windows/initial_access_unusual_dns_service_file_writes.toml
# rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
# rules/windows/lateral_movement_execution_from_tsclient_mup.toml
# rules/windows/lateral_movement_local_service_commands.toml
# rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
# rules/windows/lateral_movement_rdp_enabled_registry.toml
# rules/windows/lateral_movement_rdp_tunnel_plink.toml
# rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
# rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
# rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
# rules/windows/persistence_adobe_hijack_persistence.toml
# rules/windows/persistence_appcertdlls_registry.toml
# rules/windows/persistence_appinitdlls_registry.toml
# rules/windows/persistence_evasion_registry_ifeo_injection.toml
# rules/windows/persistence_gpo_schtask_service_creation.toml
# rules/windows/persistence_local_scheduled_task_commands.toml
# rules/windows/persistence_ms_office_addins_file.toml
# rules/windows/persistence_ms_outlook_vba_template.toml
# rules/windows/persistence_priv_escalation_via_accessibility_features.toml
# rules/windows/persistence_registry_uncommon.toml
# rules/windows/persistence_run_key_and_startup_broad.toml
# rules/windows/persistence_services_registry.toml
# rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
# rules/windows/persistence_startup_folder_scripts.toml
# rules/windows/persistence_suspicious_com_hijack_registry.toml
# rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
# rules/windows/persistence_suspicious_scheduled_task_runtime.toml
# rules/windows/persistence_suspicious_service_created_registry.toml
# rules/windows/persistence_system_shells_via_services.toml
# rules/windows/persistence_user_account_creation.toml
# rules/windows/persistence_via_application_shimming.toml
# rules/windows/persistence_via_hidden_run_key_valuename.toml
# rules/windows/persistence_via_lsa_security_support_provider_registry.toml
# rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
# rules/windows/persistence_via_update_orchestrator_service_hijack.toml
# rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
# rules/windows/privilege_escalation_named_pipe_impersonation.toml
# rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
# rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
# rules/windows/privilege_escalation_rogue_windir_environment_var.toml
# rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
# rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
# rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
# rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
# rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
# rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
# rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
# rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
# rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
# rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
2021-02-17 12:18:06 -09:00
61deed3fd2
[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules ( #948 )
...
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
2021-02-16 10:52:48 -09:00
4e6ff388fc
[Rule Tuning] Feedback from 7.12 Kibana PR ( #942 )
2021-02-11 13:32:58 -09:00
6e77f5176d
[New Rule] auditd login anomalies ( #33 )
...
* Add auditd login anomaly rules
* Flip logic to start with less-specific filters
* remove event.category from queries and update metadata
* surround event.action with quotes to account for dash
* update tags
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-02-10 14:24:55 -05:00
ffaf689778
[New Rule] Persistence via KDE AutoStart Script or Desktop File Modif… ( #809 )
...
* [New Rule] Persistence via KDE AutoStart Script or Desktop File Modification
* Update persistence_kde_autostart_modification.toml
* Update rules/linux/persistence_kde_autostart_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/persistence_kde_autostart_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* Update rules/linux/persistence_kde_autostart_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* format
* date
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-09 10:47:05 +01:00
82fe227030
[New Rule] Sensitive Files Compression ( #756 )
...
* [New Rule] Sensitive Files Compression
* conv to kql
* Update rules/linux/credential_access_collection_sensitive_files.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/credential_access_collection_sensitive_files.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/credential_access_collection_sensitive_files.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/credential_access_collection_sensitive_files.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-02-08 16:31:00 +01:00
99a4aaff58
[New Rule] Modification of the Dynamic Linker Preload Shared Object ( #921 )
...
* [New Rule] Modification of the Dynamic Linker Preload Shared Object
* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-02-08 16:11:37 +01:00
732770e855
[New Rule] Potential OpenSSH Backdoor Logging Activity ( #749 )
...
* [New Rule] Known SSH Backdoor Logging File
* updated query to common patterns
* updated rule name
* relinted
* added extra path
* renamed
* adjusted some filepaths
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* added kobalos OpenSSH credential stealer
added kobalos SSH credential stealer default logs file as reported by ESET this week https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf
* relinted
* adjusted MITRE technique
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_ssh_backdoor_log.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-05 21:27:15 +01:00
bec5211814
[Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod ( #875 )
...
* [Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod
* Update privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
* relinted
2021-02-04 16:29:53 +01:00
236c630c90
[Rule Tuning] Update rules using case sensitive wildcard function ( #904 )
...
* update rules using case sensitive wildcard function
* add appropriate spacing
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update ==
* Apply suggestions from code review
* remove info update index
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update persistence_evasion_hidden_local_account_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-04 10:23:32 -05:00
4a5085ee54
[Rule Tuning] Sudoers File Modification ( #873 )
...
* [Rule Tuning] Sudoers File Modification
* 2021!
* Update rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-02-03 17:57:40 +01:00
bf32dec5a4
Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main
...
# Conflicts:
# rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
2021-01-28 10:41:39 -09:00
3fc4aaec0f
[New Rule] Modification of OpenSSH Binaries ( #747 )
...
* [New Rule] Modification of SSH Binaries
* Update persistence_credential_access_modify_ssh_binaries.toml
* exclude unrelated auditbeat FP events
* updated TIDs and Tactics
* fix order of TIDs and Tactics
* relinted
* added libkeyutils.so used by Ebury Backdoor
loaded by all OpenSSH processes
* renamed
* conv to kql and added one FP
* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-28 19:46:30 +01:00
ebf365693e
[Rule Tuning] Deletion of Bash Command Line History ( #752 )
...
* [Rule Tuning] Deletion of Bash Command Line History
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2021-01-26 08:48:06 +01:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
e272800a5d
Add ATT&CK sub-technique support to CLI ( #614 )
...
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
2020-12-08 21:56:55 -09:00
shashank-elastic