2ffb0e7fe2
[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes ( #3644 )
2024-05-03 18:01:53 -05:00
54ff270c62
[New Rule] AWS S3 Bucket Enumeration or Brute Force ( #3635 )
...
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-05-01 15:00:33 -06:00
e29994c338
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-04-30 13:41:13 +02:00
115c3a6dfd
[Rule Tuning] Linux DRs ( #3628 )
2024-04-30 13:26:09 +02:00
8f6de1c235
[New] Potential privilege escalation via CVE-2022-38028 ( #3616 )
...
* [New] Potential privilege escalation via CVE-2022-38028
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-29 15:10:27 +01:00
7673ba484d
Fix minstack version for 0365 in azure integration rules ( #3612 )
2024-04-22 19:17:49 +05:30
69d42ecc71
updating performance note ( #3608 )
2024-04-18 16:36:07 -04:00
25dafb68f1
[Rule Tuning] Reverting To Previous Version ( #3607 )
2024-04-18 15:19:27 -04:00
91e69ac322
[Rule Tuning] Tuning Account Password Reset Remotely ( #3478 )
...
* tuning 'Account Password Reset Remotely'
* adjusted note
* fixing description
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated note about performance; toml lint
* bumping min-stack to resolve version lock
* reverting query to main
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-18 12:49:32 -04:00
6ae0902a38
[New Rule] Potential Windows Session Hijacking via CcmExec ( #3602 )
...
* [New Rule] Potential Windows Session Hijacking via CcmExec
* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-18 12:57:35 -03:00
5004ff115c
[Rule Tuning] Further Tight up Elastic Defend Index Patterns ( #3584 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-16 13:26:42 -03:00
74312797bf
adjust aws rule index patterns and tags ( #3595 )
2024-04-16 10:08:57 -04:00
c2d1586270
[Rule Tuning] Windows BBR Promotion ( #3577 )
...
* [Rule Tuning] Windows BBR Promotion
* Update non-ecs-schema.json
* Update persistence_netsh_helper_dll.toml
* Update persistence_werfault_reflectdebugger.toml
* Update privilege_escalation_unquoted_service_path.toml
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"
This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.
* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"
This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.
* Revert "Update discovery_security_software_wmic.toml"
This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-16 09:28:17 -03:00
919a438257
Update defense_evasion_untrusted_driver_loaded.toml ( #3596 )
...
excluding `errorCode_endpoint:*` status (noisy)
2024-04-15 14:52:39 +01:00
9692e59abb
[Tuning] Connection to Commonly Abused Web Services ( #3587 )
...
excluding top noisy patterns :
- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download
2024-04-11 08:11:28 -03:00
aa0cc42ff6
[Rule Tuning] Svchost spawning Cmd ( #3578 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-08 07:50:20 -03:00
153657029b
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-03 11:27:31 +02:00
0e2eb5a84c
Fix minstack version for O365 prod rules ( #3565 )
2024-04-02 21:33:18 +05:30
4ab7c9b178
[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution ( #3545 )
...
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-04-02 11:06:08 -03:00
69173872da
[Tuning] Connection to Commonly Abused Web Services ( #3425 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-02 14:41:10 +01:00
f025616cbd
[New Rule] Suspicious Access to LDAP Attributes ( #2504 )
...
* Create discovery_high_number_ad_properties.toml
* Update discovery_high_number_ad_properties.toml
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed tags; moved note to setup, updated date
* Update discovery_high_number_ad_properties.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2024-04-02 13:57:38 +01:00
c781376188
[Rule Tuning] Potential Application Shimming via Sdbinst ( #3553 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-04-02 06:35:14 -03:00
f2490007e8
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-02 05:15:04 +01:00
b47b91b9ec
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-04-01 20:45:12 -03:00
67ca13c1ce
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions ( #3505 )
...
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions
* update min_stack
* build out schema in more detail for Filters
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Remove enum for definition
* remove unused import
* remove $state store
* transform state
* add call to super
* add return type hint
* use dataclass metadata
* use Literal type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-04-01 17:44:50 -03:00
400a84628e
Update setup guide for ML integration packages ( #3475 )
...
* Add more detail to ingest pipeline install
* Add more info to anomaly detection setup
* Update draft
* Fix typo
* Bulk add doc updates
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Address Kseniia feedback
* Update updated_date per review feedback
---------
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-04-01 15:02:32 -04:00
d4bf04256d
[Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory ( #3477 )
...
* deprecating
* adjusted matury tag; updated dates
2024-04-01 11:01:20 -04:00
218c3bead6
[New Rules] Potential PowerShell Pass-the-Hash/Relay Script ( #3543 )
...
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script
* Update credential_access_posh_relay_tools.toml
* Update execution_posh_hacktool_functions.toml
* Update credential_access_posh_relay_tools.toml
* Update credential_access_posh_relay_tools.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-03-28 07:05:35 -03:00
954a93c3b4
[New Rule] Creation of a DNS-Named Record ( #3539 )
...
* [New Rule] Creation of a DNS-Named Record
* Update credential_access_dnsnode_creation.toml
* Update rules/windows/credential_access_dnsnode_creation.toml
2024-03-27 18:21:07 -03:00
67e9ebf8e1
[New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation ( #3535 )
...
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation
* Update credential_access_adidns_wildcard.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-03-27 10:07:23 -03:00
d7aff43621
[New] Suspicious Execution via ScreenConnect ( #3541 )
...
* [New] Suspicious Execution via ScreenConnect
- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)
* Update command_and_control_screenconnect_childproc.toml
* Update rules/windows/initial_access_webshell_screenconnect_server.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_screenconnect_childproc.toml
* Update command_and_control_screenconnect_childproc.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-03-27 11:52:47 +00:00
138447221f
fix typo in lateral_movement_remote_services.toml ( #3538 )
2024-03-27 11:38:57 +01:00
760b99bcc1
[Rule Tuning] Scheduled Task Activity via pwsh ( #3534 )
2024-03-26 14:45:04 +01:00
fc76a8bcb5
[New] Suspicious JetBrains TeamCity Child Process ( #3532 )
...
* [New] Suspicious JetBrains TeamCity Child Process
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
2024-03-25 16:32:56 +00:00
779fa7710d
[New Rules] Veeam Credential Access DRs ( #3516 )
...
* [New Rules] Veeam Credential Access DRs
* bump
* Update credential_access_veeam_commands.toml
* Update credential_access_veeam_backup_dll_imageload.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update credential_access_veeam_commands.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-03-21 10:00:48 -03:00
a6028b43b3
[Rule Tuning] Potential Reverse Shell via UDP ( #3508 )
2024-03-21 13:48:41 +01:00
07abc19932
[Rule Tuning] SMTP on Port 26/TCP ( #3521 )
2024-03-19 15:55:25 -05:00
f6e79944f2
[Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' ( #3494 )
...
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'
* reverting lookback window
* missing word in description
2024-03-15 19:08:28 -04:00
a4ecfe3ccf
Beaconing - Add whitelist to rules, with some more processes ( #3497 )
...
* Add whitelist to rules, with some more processes
* Update rules exceptionlist
* Update exceptions
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-03-14 15:51:02 -04:00
c610e19114
[Rule Tuning] Guided Onboarding Rule ( #3502 )
...
* [Rule Tuning] Guided Onboarding Rule
* Update guided_onboarding_sample_rule.toml
* Revert "Update guided_onboarding_sample_rule.toml"
This reverts commit 18721277df7416534440a4708fa3b060f2775a27.
* Update guided_onboarding_sample_rule.toml
* Update guided_onboarding_sample_rule.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-03-14 10:59:31 -03:00
4179180fcb
[New Rules] mprotect() RWX Binary Execution ( #3507 )
...
* [New Rules] mprotect() RWX Binary Execution
* Added rule names
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
2024-03-13 22:11:44 +01:00
f5254f3b5e
[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 ( #3501 )
...
* Initial commit
* Date bump
2024-03-13 10:27:44 -03:00
9f8638a004
[Tuning] event.action and event.type change ( #3495 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-03-13 10:11:21 +01:00
458e67918a
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
2024-03-11 09:09:40 -03:00
edf4da8526
[Rule Tuning] DR Performance-Poor Rules ( #3399 )
...
* [Rule Tuning] DR Performance
* .
* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml
* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml
* Update persistence_startup_folder_scripts.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-03-11 08:50:42 -03:00
709cfddcbe
fix: correct the provider for the create, delete and modify routes in EC2 VPCs ( #3500 )
2024-03-08 16:01:27 -03:00
a438052ff3
[Tuning] Linux Cross-Platform Tuning - Part 1 ( #3468 )
...
* [Tuning] Linux Cross-Platform Tuning - Part 1
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 18:20:55 +01:00
9c4ba4559d
[Tuning] Linux DR Tuning - Part 12 ( #3464 )
...
* [Tuning] Linux DR Tuning - Part 12
* Update persistence_shared_object_creation.toml
* Update privilege_escalation_dac_permissions.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Min stack rule-bending test
* formatting fix
* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"
This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Revert "Min stack rule-bending test"
This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 18:09:38 +01:00
3fd0358b73
[Tuning] Linux BBR Tuning - Part 1 ( #3469 )
...
* [Tuning] Linux BBR Tuning - Part 1
* [Tuning] Linux BBR Tuning - Part 1
* Update defense_evasion_processes_with_trailing_spaces.toml
* Update defense_evasion_processes_with_trailing_spaces.toml
* One more tuning
* Update collection_linux_suspicious_clipboard_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 17:19:12 +01:00
ed4a7fc15b
[Tuning] Linux DR Tuning - Part 14 ( #3467 )
...
* [Tuning] Linux DR Tuning - Part 14
* Update privilege_escalation_sudo_cve_2019_14287.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-03-07 16:45:47 +01:00
Mika Ayenson