322162f097
[New Rule] AWS S3 Bucket Replicated to Another Account ( #3895 )
2024-07-18 22:52:39 -04:00
e9cb2228e6
[New Rule] AWS S3 Object Versioning Suspended ( #3894 )
...
* [New Rule] AWS S3 Object Versioning Suspended
* description spacing changes
* update description
2024-07-18 22:14:46 -04:00
80f85cff4d
[New Rule] AWS S3 Bucket Server Access Logging Disabled ( #3892 )
...
* [New Rule] AWS S3 Bucket Server Access Logging Disabled
* changed severity from low to medium
2024-07-18 18:28:19 -04:00
6ac278df0c
[tuning] Connection to Commonly Abused Web Services ( #3901 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-18 09:59:53 -03:00
1384742f07
[New Rule] Service DACL Modification via sc.exe ( #3900 )
...
* [New Rule] Service DACL Modification via sc.exe
* Update defense_evasion_sc_sdset.toml
* Update defense_evasion_sc_sdset.toml
2024-07-17 19:39:50 -03:00
39350847d6
[New Rules] Git Hook execution/netcon ( #3896 )
...
* [New Rules] Git Hook execution/netcon
* TImestamp formatting change
* Update rules/linux/persistence_git_hook_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-17 15:28:37 +02:00
83d6eeb844
[New Rule] RPM Package Installed by Unusual Parent Process ( #3882 )
...
* [New Rule] RPM Package Installed by Unusual Parent Process
* Update persistence_rpm_package_installation_from_unusual_parent.toml
* Update persistence_rpm_package_installation_from_unusual_parent.toml
2024-07-17 15:12:17 +02:00
8c5910b1a6
[New Rule] Unsafe Docker Container Creation ( #3884 )
...
* [New Rule] Unsafe Docker Container Creation
* Update execution_potentially_overly_permissive_container_creation.toml
* Update execution_potentially_overly_permissive_container_creation.toml
* Update execution_potentially_overly_permissive_container_creation.toml
2024-07-17 15:03:07 +02:00
e5d08a2c38
[Rule Tuning] Updated setup guide ( #3885 )
...
* [Rule Tuning] Updated setup guide
* Update persistence_user_or_group_creation_or_modification.toml
* Update rules/linux/persistence_user_or_group_creation_or_modification.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update rules/linux/persistence_user_or_group_creation_or_modification.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-07-17 14:39:38 +02:00
eca7185901
Remove Rule:Promotion labels and add other relavent labels ( #3902 )
2024-07-17 17:41:05 +05:30
56e8e059b6
[New Rules] Docker Entrypoint Netcon / Nsenter Escape ( #3883 )
...
* [New Rules] Docker entrypoint netcon / nsenter escape
* ++
* Update privilege_escalation_docker_escape_via_nsenter.toml
* Update privilege_escalation_docker_escape_via_nsenter.toml
* Better description formatting
* Update execution_egress_connection_from_entrypoint_in_container.toml
* Update privilege_escalation_docker_escape_via_nsenter.toml
2024-07-15 13:07:36 +02:00
82a0cc80a7
[New Rules] DPKG Execution/Installation ( #3879 )
...
* [New Rules] DPKG Execution/Installation
* Update rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
* Update persistence_dpkg_package_installation_from_unusual_parent.toml
* Update persistence_dpkg_unusual_execution.toml
* Update persistence_dpkg_unusual_execution.toml
2024-07-15 12:59:03 +02:00
ffb68174f9
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #3887 )
2024-07-15 06:41:45 -03:00
2110ad53f0
[FR] Support new_terms schema import/export w/custom format ( #3890 )
...
* [FR] Support new_terms schema import/export w/custom format
* fix formatter for filters
* handle both rule formats when parsing data view
2024-07-12 17:17:09 -05:00
bd345d4c19
[Bug] Hunting - Add UTF-8 Encoding for all Read and Write Operations ( #3886 )
...
* adding utf-8 flags
* reverted open() to read_text with encoding flag
* changed ticks
* changed ticks
2024-07-11 18:07:14 -04:00
361e97a256
[FR] Add API auth to Kibana module ( #3815 )
...
* [FR] Add API auth to Kibana module
* update make file to properly install all deps
* Bump Kibana Version
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-07-11 17:19:41 -04:00
44658ea5f6
[Rule Tunings] Change from to prevent double alerts ( #3868 )
2024-07-11 13:02:10 -04:00
f0ab897f99
[Rule Tunings] AWS Administrator Access Policy Attached Rules ( #3867 )
...
* [Tuning] AWS Administrator Access Policy Attached Rules
* change lookback to prevent overlap
* changed from to now-6m
2024-07-11 12:49:03 -04:00
80ac2794f2
[Rule BugFix] Google Workspace Oauth2 new app ( #3436 )
...
* [Rule BugFix] Google Workspace Oauth2 new app
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
* [Rule BugFix] Google Workspace Oauth2 new app update (#3436 )
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-11 10:45:17 -04:00
21485b16fa
[Tuning & Changes] Misc rule/hunt tuning ( #3875 )
...
* [Tuning & Changes] Misc rule/hunt tuning
* Bump update_date
* ++
* Updated docs
2024-07-11 14:55:33 +02:00
c62321f810
[FR] Detection Rule PR Guidelines and Issue Forms ( #3850 )
2024-07-10 17:18:45 -05:00
59a10be7c8
Unit Test to validate from field in toml file ( #3866 )
2024-07-10 22:41:53 +05:30
70411664cf
[Bug] Normalize Hunting Index Link Generation ( #3872 )
...
* normalizing hunting link generation
* replacing header
* adjusting quotes in f-strings
* added source file to metadata
* removed os dependency
* address bug in source file links
* reverting TOML loading
* change all List type hinting to list
* change all List type hinting to list
* fixed accented characters in queries
* reverted accent character removal; moved macos query and MD to macos folder
2024-07-10 11:01:59 -04:00
6e7ece4384
[Rule Tuning] Fix event.action conditions - AD Rules ( #3874 )
2024-07-10 10:33:14 -03:00
b303b8296b
[Rule Tuning] LSASS Memory Dump Creation ( #3810 )
...
* Update rule exclusion with process executable path for Windows Fault Reporting binary, WerFaultSecure.exe.
---------
Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com >
2024-07-10 06:12:38 -05:00
ec6038b9d9
Added Schema Check for Data View ID and Index ( #3830 )
2024-07-09 15:05:12 -04:00
6a28881b5f
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3880 )
2024-07-09 19:13:24 +05:30
b66d6e06aa
Fix Double Bump For Rule Microsoft Management Console File from Unusual Path ( #3878 )
2024-07-09 17:59:51 +05:30
7f3c977192
[Rule Tuning] Tune Attempts to Brute Force a Microsoft 365 User Account ( #3860 )
...
* tuning 'Attempts to Brute Force a Microsoft 365 User Account'
* added reference
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-08 13:07:44 -04:00
b230f8372a
[New Hunt] Persistence through System V Init ( #3871 )
...
* [New Hunt] Persistence through System V Init
* regenerating docs
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-08 16:35:54 +02:00
6a2f5e7138
[Bug] Persistence ssh key generation index pattern ( #3873 )
...
* fix persistence_ssh_key_generation.toml
* Update persistence_ssh_key_generation.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-07-08 10:27:52 -03:00
c32e17c0e7
Use command masquerading in linux_compress rta script ( #3782 )
2024-07-08 12:29:00 +05:30
f0b2cb7c87
[New Hunt] Add Initial Linux Hunting Files ( #3847 )
...
* added 'Uncommon Process Execution from Suspicious Directory' hunt
* adds all linux hunting files
* moves linux hunting files to queries folder
* adds generated docs
* fixing windows hunts
* fixing windows hunts
* updated README
* Removed 2, updated a few, changed some names/descriptions and added list of str
* updated windows for language schema changes, regenerated docs; updated README and index
* changed UUIDs to hex only with standard hyphen format
* removing unecessary docs
* Fixed queries based on Samir feedback
* ++
* regenerating linux docs
* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Updates
* Update
* Update hunting/linux/queries/command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Updates
* regenerating linux docs
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-07-05 20:01:12 +02:00
215d5a0861
[New Rule] AWS S3 Object Encryption Using External KMS Key ( #3861 )
...
* [New Rule] AWS S3 Object Encryption Using External KMS Key
Identifies encryption events for S3 bucket objects using an AWS KMS key from an external account. Adversaries with access to a misconfigured S3 bucket and the proper permissions may encrypt objects with an external KMS key to deny their victims access to their own data.
* Update impact_s3_object_encryption_with_external_key.toml
* Update impact_s3_object_encryption_with_external_key.toml
* missing coma after tag
* missing backslash on technique reference
2024-07-05 12:25:55 -04:00
1d57e0c779
Update defense_evasion_deletion_of_bash_command_line_history.toml ( #3614 )
...
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-05 12:58:07 +01:00
64f0e258cb
[New Rule] Linux Shadow File Modification ( #3737 )
...
* [New Rule] Linux User Account Password Change
* Update rules/linux/persistence_user_password_change.toml
* Update persistence_user_password_change.toml
* Update persistence_user_password_change.toml
* Update persistence_user_password_change.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-05 10:03:24 +02:00
801aab82cc
[New] Sensitive Registry Hive Access via RegBack ( #3855 )
...
* Create credential_access_regback_sam_security_hives.toml
* Update credential_access_regback_sam_security_hives.toml
* Update rules/windows/credential_access_regback_sam_security_hives.toml
* Apply suggestions from code review
* Update rules/windows/credential_access_regback_sam_security_hives.toml
* Update credential_access_regback_sam_security_hives.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-05 07:50:23 +01:00
15e9c9aa5e
[Tuning] Ransomware over SMB ( #3808 )
...
* [Tuning] Ransomware over SMB
* Update impact_ransomware_file_rename_smb.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-05 07:26:57 +01:00
cd716e5248
[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId ( #3685 )
...
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-05 05:46:40 +01:00
8dc0963ae6
[Rule Tuning] LSASS Process Access via Windows API ( #3824 )
...
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* fix merge
* newline
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-04 21:45:46 +01:00
208e330b44
[New Rule] Potential PowerShell Obfuscated Script ( #3864 )
...
* [New Rule[ Potential PowerShell Obfuscated Script
* Update defense_evasion_posh_obfuscation.toml
* Update rules/windows/defense_evasion_posh_obfuscation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-04 09:26:32 -03:00
5048bc26bd
[Rule Tuning] Suspicious Inter-Process Communication via Outlook #3803 ( #3806 )
...
* Add "by host.id" argument to the sequence command in the rule query.
* Update collection_email_outlook_mailbox_via_com.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-03 10:39:15 -04:00
50f0fb3518
Test case to check updated_date ( #3818 )
2024-07-03 19:17:27 +05:30
83be212632
[New Rule] AWS RDS DB Instance Made Public ( #3836 )
...
* [New Rule] AWS RDS DB Instance Made Public
...
* Apply suggestions from code review
* added coverage for instances created with public access
* rule review edits
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-03 01:01:52 -04:00
3a5c5c20a8
[New Rule] AWS RDS DB Instance or Cluster Deletion Protection Disabled ( #3851 )
...
* [New Rule] AWS RDS DB Instance or Cluster Deletion Protection Removed
...
* insert rule_id
* rule name change
2024-07-02 17:22:03 -04:00
9f4956f542
[New Rule] AWS RDS DB Instance or Cluster Password Modified ( #3844 )
...
* [New Rule] AWS RDS DB Instance or Cluster Password Modified
..
* Update rules/integrations/aws/persistence_rds_db_instance_password_modified.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-02 16:14:51 -04:00
43fbf94d8a
[New Rule] AWS RDS Snapshot Shared with Another Account ( #3831 )
...
* [New Rule] AWS RDS DB Snapshot Shared with Another Account
...
* Update exfiltration_rds_snapshot_shared_with_another_account.toml
* edit threat matrix format
* Apply suggestions from code review
* Update rules/integrations/aws/exfiltration_rds_snapshot_shared_with_another_account.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-07-02 15:36:44 -04:00
aaf014390b
[New Rule] AWS RDS Snapshot Deleted ( #3852 )
...
* [New Rule] AWS RDS Snapshot Deleted
* added coverage for backupRetentionPeriod set to 0
2024-07-02 14:01:15 -04:00
d59d462956
[Rule Tuning] Potential AWS S3 Bucket Ransomware Note Uploaded ( #3854 )
...
* tuning 'Potential AWS S3 Bucket Ransomware Note Uploaded'
* adding filter to ignore common AWS object path strings
2024-07-02 13:02:52 -04:00
30ffe00012
Create an Issue in Kibana for MITRE Updates ( #3796 )
2024-07-02 18:57:41 +05:30
Isai