2f7471e749
[New Rule] Adding Data Exfiltration Rules from Advanced Analytic DED Package ( #3126 )
...
* Adding DED rules
* adding integration manifests and schemas for DED
* Updating min stack version
* updating manifests and schemas to match main
* added setup note; updated references
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit 97ff7fb26e
2023-10-14 17:29:24 +00:00
045de05e46
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 ( #3183 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 2b0735024e
2023-10-13 19:16:31 +00:00
685cc8f628
[FR] 8.11 Release Preparation and Update Main Branch to 8.12 ( #3182 )
...
* prepping for 8.12 branch
* added ananlytic manifests and schemas
* fix linting issues
* updated analytic package manifests and schemas
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit b4f8fc3290
2023-10-13 17:43:21 +00:00
3351e87789
Improve exsisting setup configurations for Linux ( #3141 )
...
(cherry picked from commit 15718ea09e
2023-10-13 08:15:12 +00:00
094ad60ff6
[New Rule] New GitHub App Installed ( #3055 )
...
* new rule
* Update rules/integrations/github/execution_new_github_app_installed.toml
* Update rules/integrations/github/execution_new_github_app_installed.toml
edits from review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* change query from event.module to event.dataset
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 374c9c6257
2023-10-13 00:16:30 +00:00
d72996c401
[New Rule] Migrate Lateral Movement Detection Rules ( #3175 )
...
* adding LMD rules
* added setup note; updated references
* adds 2.0.0 lmd manifest and schema
* adjusted min-stack for non-ML rules
(cherry picked from commit 1e514afa57
2023-10-12 19:07:54 +00:00
0308e32ea0
[FR] Add ML Jobs to Schemas and Unit Test for Validation ( #3161 )
...
* adding machine learning job id validation
* Update rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
* Update tests/test_all_rules.py
* adding integration manifests and schemas from main
* rebuilt manifests and schemas with lmd
* fixed unit test linting
* adding manifests and schemas for other analytic packages
* updated manifests and schemas; adjusted unit test for verbosity
* sorted imports
(cherry picked from commit 3e212e2b74
2023-10-12 14:57:00 +00:00
788f2ce884
[Rule Tuning] PowerShell Rules Tuning ( #3169 )
...
(cherry picked from commit 3f2a709370
2023-10-11 21:03:44 +00:00
7c563fb834
[New Rule] File Compressed or Archived into Common Format ( #3173 )
...
* [New Rule] File Compressed or Archived into Common Format
* new build-threat-map-entry-command
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 7f8a9849c4
2023-10-11 18:40:16 +00:00
f67291561e
[FR] Only supporting known compatible rule file types ( #3167 )
...
* Only supporting known compatible file types
* Add --ignore-invalid-files flag
* Added support to ignore invalid rule files
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/main.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* reverting main
* add punctuation
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9f61ce4923
2023-10-11 15:49:41 +00:00
c9a1edd9fc
[New Rule] Potential curl CVE-2023-38545 Exploitation ( #3168 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Added setup guide
* Update execution_curl_CVE_2023_38545.toml
* File name change
* File name change
* Update dates
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
(cherry picked from commit 89cfdcd440
2023-10-11 14:48:20 +00:00
f66b82c0ec
[Tuning] Windows Execution Rule Tuning for UEBA ( #3107 )
...
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Mostly updated Execution tags, also new_terms conv
* removed index
* Removed index
* WMIPrvSE tuning
* Additional tuning
* Tuning & changes
* Additional tuning
* Applied unit test optimization
* Addressed feedback
* Update rules/windows/execution_command_shell_started_by_svchost.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* caseless unit testing fix
* fixed caseless executable unit test
* unit testing fix
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
* Added user ids to new terms
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/execution_unsigned_service_executable.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update execution_unsigned_service_executable.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit c2822e175c
2023-10-11 08:21:37 +00:00
d4d794b586
[Tuning] Windows Discovery Rule Tuning for UEBA ( #3097 )
...
* [Tuning] Win DR Tuning for UEBA
* Need to get used to Windows formatting
* Added additional content
* Updated min stack
* Added additional tuning
* Fixed unit testing for KQL optimization
* Update rules_building_block/discovery_internet_capabilities.toml
* Additional tuning
* Kuery optimization
* Additional tuning
* Additional tuning
* Additional tuning
* Additional tuning
* Unit testing optimization fix
* optimization
* tuning
* Optimization
* Update rules/windows/discovery_privileged_localgroup_membership.toml
* Added feedback
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.id as additional new_terms field
* Reworked a lot.
* kibana.alert.rule.rule_id to non-ecs-schema.json
* Fixed index by adding a dot
* fixed typo
* Added host.os.type:windows for signals
* Added additional tag
* Added Higher-Order Rule tag
* Stripped down signal rules down to two
* revert
* Update rules/windows/discovery_admin_recon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_generic_registry_query.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update discovery_generic_registry_query.toml
* Readded exclusions
* Added trailing wildcards for KQL
* Update discovery_privileged_localgroup_membership.toml
* Update rules_building_block/discovery_signal_unusual_user_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Formatting fix
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 4cdf52129a
2023-10-11 07:49:08 +00:00
bd7d94c1f3
[New Rule] Pot. Rev. Shell via Background Process ( #3114 )
...
(cherry picked from commit a46797b987
2023-10-06 21:20:37 +00:00
281d02e5d2
[New Rule] New GitHub Owner Added ( #3090 )
...
* [New Rule] New GitHub Owner Added
new rule
* name change
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ef8f5620e1
2023-10-06 20:03:14 +00:00
e9ecac7c75
[New Rule] GitHub Owner Role Granted to User ( #3087 )
...
* [New Rule] GitHub Owner Role Granted to User
new rule
* Update persistence_organization_owner_role_granted.toml
* updated integration schema
* changed timestamp_override
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9593412847
2023-10-06 19:50:02 +00:00
5152ea9c6f
[Tuning] CVE-2023-4911 ( #3160 )
...
(cherry picked from commit c3cc01333a
2023-10-06 11:18:47 +00:00
138b46a423
removing lmd rules and fixing version lock history ( #3159 )
...
(cherry picked from commit 57c05f0444
2023-10-05 16:22:34 +00:00
b6da24629e
[New Rule] PE via CVE-2023-4911 (Looney Tunables) ( #3158 )
...
* [New Rule] PE via CVE-2023-4911 (Looney Tunables)
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
(cherry picked from commit f4ad1f28e3
2023-10-05 14:47:09 +00:00
2b22d066fd
[Rule Tuning] Add filebeat Compatibility to Network Rules ( #2925 )
...
* add beats compatability to NPC rules
* added filebeat compatibility to 'Accepted Default Telnet Port Connection'
* added filebeat compatibility to 'Cobalt Strike Command and Control Beacon'
* added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate'
* added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet'
* added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior'
* added filebeat compatibility to 'Halfbaked Command and Control Beacon'
* added filebeat compatibility to 'IPSEC NAT Traversal Port Activity'
* added filebeat compatibility to 'SMTP on Port 26/TCP'
* added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet'
* added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet'
* added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet'
* added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet'
* added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet'
* added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet'
* removed extra space in query
* added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node'
* added filebeat compatibility to 'Abnormally Large DNS Response'
* fixed missing ending parenthesis
* added auditbeat to compatible rules
* addressed feedback
* removed filebeat and auditbeat due to incompatibility
* Update rules/network/command_and_control_cobalt_strike_beacon.toml
* Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit b8ae2218f8
2023-10-03 19:11:07 +00:00
e38cb6ee58
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3155 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 0e2ae5b9ef
2023-10-03 18:40:36 +00:00
54303f84fc
adjusting minimum stack version for version control ( #3154 )
...
(cherry picked from commit 8d2b730bc5
2023-10-03 17:41:45 +00:00
5e5ac212ae
Updated common.requires_os calls ( #3109 )
...
(cherry picked from commit bba8cd3b57
2023-10-03 14:53:42 +00:00
dd080b7850
[New BBR] Sus. Process Started via tmux or screen ( #3071 )
...
* [New BBR] Sus. Process Started via tmux or screen
* [New BBR] Unix Socket Connection
* Revert "[New BBR] Unix Socket Connection"
This reverts commit 92a0b09e8c505bceb1025124658bb4233d5d19d9.
* Update rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 8f122197bb
2023-09-30 11:02:39 +00:00
add7ce9508
[Bug] Updated os.path calls to pathlib ( #3110 )
...
* Updated os.path calls to pathlib
* fixed typo
* os.join replacement typo
* additional join typo
* updated os directory functions
* exist_ok typo
* cleanup
* Updated for cleanliness
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 16550b7144
2023-09-28 20:38:34 +00:00
3b2a09d55c
[Bug] Create Rule CLI Crashes on Required Arg ( #3127 )
...
(cherry picked from commit e4b66c23dc
2023-09-28 19:33:57 +00:00
89a8bdfd0c
[FR] Added asset tag to expected tags ( #3115 )
...
* Added asset tag to expected tags
* removed *
* Add regex wildcard tag support
* Updated tag format test location
* Updated to use env variable
* fixed typo
(cherry picked from commit 4828ae07df
2023-09-28 18:15:12 +00:00
fadd7fe320
[Rule Tuning] Update LMD Rules Min-Stack to 8.5 ( #3142 )
...
* updating min-stack to 8.5
* updated min stack comments
(cherry picked from commit 8650b26002
2023-09-27 20:23:45 +00:00
116a7de890
[New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package ( #3119 )
...
* Adding Lateral Movement Detection rules
* added tags; adjusted tests; updated manifests and schemas
* added default value to build_integrations_schema
* combined analytic and non-dataset packages for related integrations
* adjusted machine learning definitions
* adjusted machine learning definitions
* removed splat for machine learning list due to 3.8 constraints
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 747ee7d593
2023-09-27 18:59:55 +00:00
7cb4c5216d
[New Rule] [BBR] File with Suspicious Extension Downloaded ( #3139 )
...
* [New Rule] [BBR] File with Suspicious Extension Downloaded
* Update defense_evasion_download_susp_extension.toml
(cherry picked from commit f77bec8552
2023-09-27 15:43:02 +00:00
07d80c2b70
[New RTA] Privesc via OverlayFS ( #3003 )
...
* [New RTA] Privesc via OverlayFS
* Update rta/overlayfs_privesc.py
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 6f7e419f1e
2023-09-27 08:51:15 +00:00
c27b0e26bd
update transform test to fail on missing transform ( #3085 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f6b6bee5c2
2023-09-21 19:28:31 +00:00
80f16bb7ac
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3108 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit de2b97a492
2023-09-18 15:20:10 +00:00
18fb966776
[New Rule] Network Activity Detected via cat ( #3069 )
...
* [New Rule] Network Activity via cat
* Update command_and_control_cat_network_activity.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit b291317ea6
2023-09-18 07:56:50 +00:00
f4ce48063c
[New Rule] Github Repository Deleted ( #3056 )
...
* new rule
* Update rules/integrations/github/impact_github_repository_deleted.toml
* Update rules/integrations/github/impact_github_repository_deleted.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9146e0965d
2023-09-14 22:05:59 +00:00
09feb8b94f
[New Rule] GitHub Protected Branch Settings Changed ( #3054 )
...
* new rule file
* testing query change
* query changed back
* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* updated integration manifests with github schema
* Update defense_evasion_github_protected_branch_settings_changed.toml
added event.dataset to query
* added timestamp_override
* changed timestamp_override to @timestamp
* changed timestamp_override
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 904e37b732
2023-09-14 21:25:40 +00:00
0bc9b126f6
Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity ( #3091 )
...
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity
When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html
Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.
* simplified detection logic by utilising process.parent.args
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ccfc931fbd
2023-09-13 16:56:38 +00:00
ab3a15861c
[Security Content] Add missing osquery transforms ( #3088 )
...
* [Security Content] Add missing osquery transforms
* Revertable unit test
* .
* Revert "Revertable unit test"
This reverts commit 8c909fc2712b16e062890a63f31a6c080b81244a.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 4034436f06
2023-09-13 11:12:36 +00:00
711e0f3ab7
[New Rule] New BBR Rules - Part 2 ( #3029 )
...
* [New Rule] New BBR Rules - Part 2
* Update discovery_generic_account_groups.toml
* Update discovery_generic_account_groups.toml
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/execution_downloaded_shortcut_files.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/defense_evasion_unusual_process_extension.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update defense_evasion_unusual_process_extension.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ddb1f75352
2023-09-13 00:54:52 +00:00
4b2112f4a0
[New Rule] New BBR Rules - Part 3 ( #3034 )
...
* [New Rule] New BBR Rules - Part 3
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit af99186992
2023-09-13 00:34:12 +00:00
fa494e4c46
[New Rule] Potential UDP Reverse Shell ( #2906 )
...
* [New Rule] Potential UDP Reverse Shell Detected
* Title change
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* updated non-ecs-schema to update unmapped fields
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Removed netcat, added destination ip list
* Update execution_shell_via_udp_cli_utility_linux.toml
* Added precautionary exclusions
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
* replaced schema files
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit f8f3576971
2023-09-07 15:18:55 +00:00
63b817353a
[New Rule] Potential Meterpreter Reverse Shell ( #3007 )
...
* [New Rule] Potential Meterpreter Reverse Shell
* Update execution_shell_via_meterpreter_linux.toml
* Update execution_shell_via_meterpreter_linux.toml
* Update rules/linux/execution_shell_via_meterpreter_linux.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 15e71ec2e8
2023-09-07 15:10:01 +00:00
49c7a9317e
[FR] Add support for samples in eql 0.9.18 ( #3000 )
...
(cherry picked from commit 20de1d8d1d
2023-09-07 14:07:20 +00:00
2e74d50950
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3079 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 87af5b43ba
2023-09-06 17:26:57 +00:00
e9b1ebae3f
[New Rule] New BBR Rules - Part 5 ( #3052 )
...
* [New Rule] New BBR Rules - Part 5
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Tag work
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 3614f42b00
2023-09-05 21:42:38 +00:00
521ecdc6c4
[New Rule] New BBR Rules - Part 1 ( #3026 )
...
* [New Rule] New BBR Rules - Part 1
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/lateral_movement_at.toml
* Update rules_building_block/collection_outlook_email_archive.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 8049c96281
2023-09-05 21:14:06 +00:00
56e54e714c
[New Rule] Potential Masquerading as Business App Installer ( #3068 )
...
(cherry picked from commit 26c97dc241
2023-09-05 21:04:26 +00:00
7780167504
Added unit test ( #3038 )
...
* Added unit test
* removed print from unit test
* fixed linting
* Updated to put validation in init
* Updated for cleanliness
* removed Literal import
(cherry picked from commit 34ebcec679
2023-09-05 19:32:50 +00:00
063386829c
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit 4233fef238
2023-09-05 18:28:40 +00:00
4bb0cdc3f3
[Rule Tuning] Small Linux DR Tuning ( #3074 )
...
* [Rule tuning] Adressing community issue
* Changed title
* Changed IG title
(cherry picked from commit 6115a68aba
2023-09-05 12:26:47 +00:00
Apoorva Joshi