5fe7833312
[Rule Tuning] Tuning Google Workspace Rules and File Name Length Reduction ( #3849 )
...
* tuning google workspace rules
* removed verbiage about runtime
2024-07-01 15:50:12 -04:00
d5c34b5750
[Rule Tuning] Unusual File Creation - Alternate Data Stream ( #3848 )
2024-07-01 13:45:19 -03:00
99a4d629c9
[New Rule] Entra ID Device Code Auth with Broker Client ( #3819 )
...
* new rule 'Entra ID Device Code Auth with Broker Client'
* updated azure integration, non-ecs updated, rule date updated
* updates tags
* updated query to add Azure activity logs
* merging in main
* updated azure manifest and schemas
* updated azure manifest and schemas
* updated index map for summary and changelog
* removed string imports
* reverting packaging.py updates
* adjusted query
* adjusted query to be more optimized
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-07-01 10:31:26 -04:00
f62644887e
[Rule Tuning] AWS RDS Snapshot Restored ( #3809 )
...
* [Tuning] AWS RDS Instance Restored
-name and description change to better describe behavior
- rule file name changed to match tactic
- query change to add coverage for restore from S3
- rule type changed to eql
- subtechnique added for creaing instance
- tag added for RDS datasource
- Investigation Guide added
* Update defense_evasion_rds_instance_restored.toml
* Update defense_evasion_rds_instance_restored.toml
* removed investigation guide place holder
* deprecated old rule because of name change
* change rule_id
* Revert "change rule_id"
This reverts commit 0764c932f412439319e2d15a6bd80c360cf3fdc2.
* Revert "deprecated old rule because of name change"
This reverts commit fd62673380b40ba9ee432a271da3a8c5374e7129.
2024-06-28 20:42:36 -04:00
2e3aca62f0
[Rule Tuning] Multiple Device Token Hashes for Single Okta Session ( #3814 )
...
* tuning 'Multiple Device Token Hashes for Single Okta Session'
* adjusted file name
* updated tags
* updated file name extension
* updated min-stack comments
2024-06-28 12:59:24 -04:00
b311d49c2a
[New Rules] Git Hook Execution/File Creation ( #3832 )
...
* [New Rules] Git Hook Execution/File Creation
* Update rules/linux/persistence_git_hook_file_creation.toml
* Update persistence_git_hook_process_execution.toml
2024-06-28 11:34:32 +02:00
f33c25b118
[New Rule] DNF Package Manager Plugin File Creation ( #3822 )
...
* [New Rule] DNF Package Manager Plugin File Creation
* Update persistence_dnf_package_manager_plugin_file_creation.toml
2024-06-28 11:14:48 +02:00
edc501accf
[New Rules] rc.local Execution Rules ( #3813 )
...
* [New Rules] rc.local Execution Rules
* ++
* Update rules/linux/persistence_rc_local_error_via_syslog.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-28 09:59:26 +02:00
b97069c3e9
Update defense_evasion_microsoft_defender_tampering.toml ( #3840 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-06-28 08:16:11 +01:00
cd4fe07c2c
[New Rule & Tuning] Systemd Generator Created ( #3801 )
2024-06-27 22:00:48 +02:00
e941645b2f
[Rule Tuning] rc.local/rc.common File Creation ( #3805 )
2024-06-27 21:50:49 +02:00
68bf4e453e
[Rule Tuning] System V Init Script Created ( #3811 )
2024-06-27 21:38:34 +02:00
460b314f49
[Rule Tuning] Executable Bit Set for Potential Persistence Script ( #3812 )
...
* [Rule Tuning] Executable Bit Set for Potential Persistence Script
* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
* Update persistence_potential_persistence_script_executable_bit_set.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-06-27 21:29:30 +02:00
7693d785aa
[Rule Tuning] LSASS Process Access via Windows API ( #3839 )
2024-06-27 12:22:13 -03:00
c3ba7b1262
[New Rule] Privilege Escalation via SUID/SGID ( #3793 )
...
* [New Rule] Privilege Escalation via SUID/SGID
* unit test error fix?
* Update rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
2024-06-27 16:50:09 +02:00
0ca16a1516
[New Rule] User or Group Creation/Modification ( #3804 )
2024-06-27 16:35:25 +02:00
8d063e1a47
[Rule Tuning] SUID/SGID Bit Set ( #3802 )
2024-06-27 16:27:00 +02:00
17a07020f3
[New] Microsoft Management Console File from Unusual Path ( #3834 )
...
* [New] Windows Script Execution via MMC Console File
* Update execution_via_mmc_console_file_unusual_path.toml
* Update execution_via_mmc_console_file_unusual_path.toml
* Update rules/windows/execution_via_mmc_console_file_unusual_path.toml
* Update execution_via_mmc_console_file_unusual_path.toml
* Update execution_via_mmc_console_file_unusual_path.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-06-27 11:32:45 +01:00
deb08fd28d
[New Rule] AD Group Modification by SYSTEM ( #3833 )
...
* [New Rule] AD Group Modification by SYSTEM
* .
* Update rules/windows/persistence_group_modification_by_system.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Tighten up indexes
* Update persistence_group_modification_by_system.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-26 18:56:01 -03:00
54d5b442cf
[Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs ( #3825 )
...
* [Rule Tuning] Add Initial Microsoft Defender for Endpoint Compatibility to Windows DRs
* .
* Update integration-schemas.json.gz
* Fix integration manifests
2024-06-26 11:06:27 -03:00
6746a421c4
[New Rules] Yum Plugin Creation / Discovery ( #3820 )
...
* [New Rules] Yum Plugin Creation / Discovery
* Update discovery_yum_plugin_detection.toml
* Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml
2024-06-25 16:14:28 +02:00
0726ce41bf
Tune rule to exclude forwarded events. ( #3790 )
...
Events containing "forwarded" as a tag may include host information
that is not related to the host running elastic agent. This triggers
false positive alerts. Examples include Entity Analytics integrations,
Palo Alto GlobalProtect activity, and M365 Defender device events.
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-25 13:22:07 +02:00
2708a89f20
[New Rule] AWS IAM User Created Access Keys for Another User ( #3788 )
...
* [New Rule] AWS IAM User Created Access Keys for Another User
...
* updated min_stack and removed index field
* reversed tactic order
* added AWS documentation as reference
* Apply suggestions from code review
updated_date, query format change, removed keep from query
2024-06-25 00:11:48 -04:00
da8f3e4880
[New Rule] Okta Credential Stuffing and Password Spraying Identification via Source, Device Token and Actor ( #3797 )
...
* adding new rule 'Multiple Okta User Authentication Events with Same Device Token Hash'
* adding new rule 'Multiple Okta User Authentication Events with Client Address'
* updating UUIDs
* removed indexes
* adding new rule 'High Number of Okta Device Token Cookies Generated for Authentication'
* added okta outcome reason 'INVALID_CREDENTIALS' to queries
* updated risk score
* made all rules low risk score
* added user session start to rule
* updated min-stack comments
2024-06-21 13:11:23 -04:00
11aab028dc
[Rule Tuning] Okta User Sessions Started from Different Geolocations ( #3799 )
...
* tuning 'Okta User Sessions Started from Different Geolocations'
* TOML linting
* updated min-stack comments
* added setup
* Removed some blank spaces
2024-06-20 16:52:26 -04:00
e9d7ddfa35
[Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule ( #3800 )
...
* Fix index and filters in Rapid7 CVE rule
* change updated date
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-20 15:17:06 -04:00
c20318d0d0
[New Rule] Potential Privilege Escalation via Service ImagePath Modification ( #3757 )
...
* [New Rule] Potential Privilege Escalation via Service ImagePath Modification
* Update privilege_escalation_reg_service_imagepath_mod.toml
* [New Rule] NTDS Dump via Wbadmin
* Revert "[New Rule] NTDS Dump via Wbadmin"
This reverts commit 09fd513b1e8b35e22c7d1a371b0aa5aa4837cdc5.
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update privilege_escalation_reg_service_imagepath_mod.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-20 10:41:53 -03:00
236444200b
[New Rule] NTDS Dump via Wbadmin ( #3758 )
...
* [New Rule] NTDS Dump via Wbadmin
* Update rules/windows/credential_access_wbadmin_ntds.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-20 09:55:07 -03:00
3fd9bae611
[New Rule] Potential WPAD Spoofing via DNS Record Creation ( #3748 )
2024-06-20 09:34:27 -03:00
6a0ac563a0
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml ( #3734 )
2024-06-20 09:23:06 -03:00
51b9717ac0
Adding setup templates to the ML rules ( #3798 )
...
* Added setup instructions for ml rules
2024-06-19 10:04:41 -04:00
c1dcd21531
Closes #2216 ( #2855 )
...
* Update privilege_escalation_sts_assumerole_usage.toml
* Update privilege_escalation_sts_assumerole_usage.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-06-13 16:52:54 -04:00
020ca4be24
[New Rule] Rapid7 Threat Command CVEs Correlation ( #3718 )
...
* new rule 'Rapid7 Threat Command CVEs Correlation'
* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated threat index and tags
* changed 'indicator match' to 'threat match' for tags
* removed timeline
* updating integrations to match main
* re-adding rapid7 threat command integration manifest and schema
* reverting changes; removing timeline
* changed max signals to 10000
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-12 18:01:44 -04:00
4eff7c6c87
[New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll ( #3717 )
...
* [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll
* Update privilege_escalation_dns_serverlevelplugindll.toml
* Update privilege_escalation_dns_serverlevelplugindll.toml
* Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-12 15:18:31 -03:00
89d89f15d2
Update FIM integration Setup sequence ( #3781 )
2024-06-12 16:40:45 +05:30
0a69c19c83
Update Minstack versions for SentinelOne rules ( #3777 )
2024-06-11 18:58:26 +05:30
8baf5dc2d8
Add exceptions to C2 Beaconing Activity ( #3771 )
2024-06-11 18:43:46 +05:30
ec223a4a05
[New Rule] Suspicious File Modification ( #3746 )
...
* [New Rule] Suspicious File Modification
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Updates
* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-11 13:03:20 +02:00
c87c4c9f5d
[New Rules] PAM Module Creation & Unusual PAM Grantor ( #3743 )
...
* [New Rules] PAM Module Creation & Unusual PAM Grantor
* Update persistence_unusual_pam_grantor.toml
* Update persistence_pluggable_authentication_module_creation.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
* Update persistence_pluggable_authentication_module_creation.toml
* Update persistence_unusual_pam_grantor.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
2024-06-11 11:51:33 +02:00
4cf0c2b9af
[Rule Tuning] Systemd-udevd Rule File Creation ( #3738 )
...
* [Rule Tuning] Systemd-udevd Rule File Creation
* Incompatible endgame field
* Update rules/linux/persistence_udev_rule_creation.toml
* Update rules/linux/persistence_udev_rule_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_udev_rule_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_udev_rule_creation.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-11 11:40:54 +02:00
4003219aa1
[New Rule] APT Package Manager Configuration File Creation ( #3739 )
...
* [New Rule] APT Package Manager Configuration File Creation
* Update rules/linux/persistence_apt_package_manager_file_creation.toml
* Update persistence_apt_package_manager_file_creation.toml
2024-06-11 09:43:35 +02:00
62eea772d0
[New Rule] AWS S3 Bucket Ransom Note Uploaded ( #3604 )
...
* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement'
* fixed technique mapping
* added investigation guide; added more ransom note extensions
* adjusted lookback and maxspan
* added API call to second sequence
* updating date
* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* changed rule to ESQL; updated investigation guide
* changed file name
* removed txt, ecc, and note
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-10 10:47:20 -04:00
74f049cc7c
[New Rule] Network Connection Initiated by SSH Parent Process ( #3759 )
...
* [New Rule] Network Connection Initiated by SSH Parent Process
* Update persistence_ssh_netcon.toml
* Update rules/linux/persistence_ssh_netcon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_ssh_netcon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_ssh_netcon.toml
* Update persistence_ssh_netcon.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-10 10:30:45 +02:00
29bb52d2fb
[New Rule] Netcon through XDG Autostart Entry ( #3741 )
...
* [New Rule] Netcon through XDG Autostart Entry
* Update rules/linux/persistence_xdg_autostart_netcon.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update persistence_xdg_autostart_netcon.toml
* Update persistence_xdg_autostart_netcon.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-10 10:17:09 +02:00
70496f813f
[New Rule] Executable Bit Set for rc.local/rc.common ( #3736 )
...
* [New Rule] Executable Bit Set for rc.local/rc.common
* Endgame compatibility
* Update rules/linux/persistence_rc_local_common_executable_bit_set.toml
2024-06-10 09:57:14 +02:00
e1cbf9f684
[New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) ( #3735 )
...
* [New Rule] AWS IAM AdministratorAccess Policy Attached to User
issue...
* add source.address and source.geo.location
* fix threat tactic ids
* AdministratorAccess Policy Attached to Group
* AdminstratoAccess Policy Attached to Role
* reduce severity to medium
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-07 18:31:06 -04:00
087e8a6e85
[Rule Tuning] User Added to Privileged Group ( #3763 )
...
* [New Rule] User Added to Privileged Group
* add more groups
* Update rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update persistence_user_account_added_to_privileged_group_ad.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-07 13:43:30 -03:00
d3e2f70ce2
[New Rule] Process Capability Set via setcap Utility ( #3744 )
...
* [New Rule] Process Capability Set via setcap Utility
* ++
* Update rules/linux/persistence_process_capability_set_via_setcap.toml
2024-06-06 12:44:31 +02:00
8e6114f76c
[Rule Tuning] System Binary Moved or Copied ( #3742 )
...
* [Rule Tuning] System Binary Moved or Copied
* Added reference
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
2024-06-06 12:24:48 +02:00
61ab035f41
[Rule Tuning] Potential Sudo Hijacking ( #3745 )
...
* [Rule Tuning] Potential Sudo Hijacking
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
2024-06-06 11:59:26 +02:00
Terrance DeJesus