d3faf0d0d6
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit e29994c338
2024-04-30 11:48:38 +00:00
f7215a7ced
[Rule Tuning] Linux DRs ( #3628 )
...
(cherry picked from commit 115c3a6dfd
2024-04-30 11:33:56 +00:00
55a17e12db
[New] Potential privilege escalation via CVE-2022-38028 ( #3616 )
...
* [New] Potential privilege escalation via CVE-2022-38028
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8f6de1c235
2024-04-29 14:18:06 +00:00
868ab80c63
Fix minstack version for 0365 in azure integration rules ( #3612 )
...
(cherry picked from commit 7673ba484d
2024-04-22 13:55:15 +00:00
bda38d6f27
updating performance note ( #3608 )
...
(cherry picked from commit 69d42ecc71
2024-04-18 20:43:50 +00:00
fea73c9686
[New Rule] Potential Windows Session Hijacking via CcmExec ( #3602 )
...
* [New Rule] Potential Windows Session Hijacking via CcmExec
* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 6ae0902a38
2024-04-18 16:05:03 +00:00
4562d694b0
[Rule Tuning] Further Tight up Elastic Defend Index Patterns ( #3584 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 5004ff115c
2024-04-16 16:34:23 +00:00
f3d95cccce
adjust aws rule index patterns and tags ( #3595 )
...
(cherry picked from commit 74312797bf
2024-04-16 14:16:36 +00:00
e33d80804f
[Rule Tuning] Windows BBR Promotion ( #3577 )
...
* [Rule Tuning] Windows BBR Promotion
* Update non-ecs-schema.json
* Update persistence_netsh_helper_dll.toml
* Update persistence_werfault_reflectdebugger.toml
* Update privilege_escalation_unquoted_service_path.toml
* Update defense_evasion_msdt_suspicious_diagcab.toml
* Update defense_evasion_suspicious_msiexec_execution.toml
* Update discovery_security_software_wmic.toml
* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"
This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.
* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"
This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.
* Revert "Update discovery_security_software_wmic.toml"
This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit c2d1586270
2024-04-16 12:36:20 +00:00
f291aa105d
Update defense_evasion_untrusted_driver_loaded.toml ( #3596 )
...
excluding `errorCode_endpoint:*` status (noisy)
(cherry picked from commit 919a438257
2024-04-15 14:00:51 +00:00
52e86dc8e8
[Tuning] Connection to Commonly Abused Web Services ( #3587 )
...
excluding top noisy patterns :
- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download
(cherry picked from commit 9692e59abb
2024-04-11 11:18:52 +00:00
74d428b09e
[Rule Tuning] Svchost spawning Cmd ( #3578 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit aa0cc42ff6
2024-04-08 10:57:52 +00:00
a6ea41cae0
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 153657029b
2024-04-03 09:36:00 +00:00
4e88c2d024
Fix minstack version for O365 prod rules ( #3565 )
...
(cherry picked from commit 0e2eb5a84c
2024-04-02 16:13:40 +00:00
eca9b72a2c
[Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution ( #3545 )
...
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update command_and_control_new_terms_commonly_abused_rat_execution.toml
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 4ab7c9b178
2024-04-02 14:15:05 +00:00
6cf92b25d3
[Tuning] Connection to Commonly Abused Web Services ( #3425 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 69173872da
2024-04-02 13:49:39 +00:00
22857aca2e
[New Rule] Suspicious Access to LDAP Attributes ( #2504 )
...
* Create discovery_high_number_ad_properties.toml
* Update discovery_high_number_ad_properties.toml
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_high_number_ad_properties.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed tags; moved note to setup, updated date
* Update discovery_high_number_ad_properties.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit f025616cbd
2024-04-02 13:05:41 +00:00
5a18a6cea2
[Rule Tuning] Potential Application Shimming via Sdbinst ( #3553 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit c781376188
2024-04-02 09:43:02 +00:00
de3db7007a
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f2490007e8
2024-04-02 04:22:46 +00:00
21f23f6d33
[Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules ( #3549 )
...
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules
* Delete test.pkl
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit b47b91b9ec
2024-04-01 23:52:53 +00:00
7838042839
[Rule Tuning] Replace KQL exceptions for Query DSL Exceptions ( #3505 )
...
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions
* update min_stack
* build out schema in more detail for Filters
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Remove enum for definition
* remove unused import
* remove $state store
* transform state
* add call to super
* add return type hint
* use dataclass metadata
* use Literal type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Removed changes from:
- rules/windows/collection_mailbox_export_winlog.toml
- rules/windows/collection_posh_clipboard_capture.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/execution_posh_hacktool_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml
- rules_building_block/discovery_posh_generic.toml
- rules_building_block/lateral_movement_posh_winrm_activity.toml
(selectively cherry picked from commit 67ca13c1ce
2024-04-01 20:53:09 +00:00
c1dd8cae21
Update setup guide for ML integration packages ( #3475 )
...
* Add more detail to ingest pipeline install
* Add more info to anomaly detection setup
* Update draft
* Fix typo
* Bulk add doc updates
* Update rules/integrations/problemchild/defense_evasion_ml_rare_process_for_a_host.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Address Kseniia feedback
* Update updated_date per review feedback
---------
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 400a84628e
2024-04-01 19:10:34 +00:00
57627e562f
[Rule Deprecation] Deprecate Remote File Creation on a Sensitive Directory ( #3477 )
...
* deprecating
* adjusted matury tag; updated dates
(cherry picked from commit d4bf04256d
2024-04-01 15:08:51 +00:00
5a7d7cf4a0
[New Rules] Potential PowerShell Pass-the-Hash/Relay Script ( #3543 )
...
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script
* Update credential_access_posh_relay_tools.toml
* Update execution_posh_hacktool_functions.toml
* Update credential_access_posh_relay_tools.toml
* Update credential_access_posh_relay_tools.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 218c3bead6
2024-03-28 10:16:03 +00:00
c871bbb6d6
[New Rule] Creation of a DNS-Named Record ( #3539 )
...
* [New Rule] Creation of a DNS-Named Record
* Update credential_access_dnsnode_creation.toml
* Update rules/windows/credential_access_dnsnode_creation.toml
(cherry picked from commit 954a93c3b4
2024-03-27 21:28:37 +00:00
06dcbb80f5
[New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation ( #3535 )
...
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation
* Update credential_access_adidns_wildcard.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 67e9ebf8e1
2024-03-27 13:15:24 +00:00
bfd3289680
[New] Suspicious Execution via ScreenConnect ( #3541 )
...
* [New] Suspicious Execution via ScreenConnect
- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)
* Update command_and_control_screenconnect_childproc.toml
* Update rules/windows/initial_access_webshell_screenconnect_server.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
* Update rules/windows/command_and_control_screenconnect_childproc.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_screenconnect_childproc.toml
* Update command_and_control_screenconnect_childproc.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit d7aff43621
2024-03-27 12:02:12 +00:00
e388aaf409
fix typo in lateral_movement_remote_services.toml ( #3538 )
...
(cherry picked from commit 138447221f
2024-03-27 10:46:36 +00:00
75a0a3f338
[Rule Tuning] Scheduled Task Activity via pwsh ( #3534 )
...
(cherry picked from commit 760b99bcc1
2024-03-26 13:53:05 +00:00
5ce96738c4
[New] Suspicious JetBrains TeamCity Child Process ( #3532 )
...
* [New] Suspicious JetBrains TeamCity Child Process
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
* Update initial_access_exploit_jetbrains_teamcity.toml
(cherry picked from commit fc76a8bcb5
2024-03-25 16:40:44 +00:00
b6aff9b2e5
[New Rules] Veeam Credential Access DRs ( #3516 )
...
* [New Rules] Veeam Credential Access DRs
* bump
* Update credential_access_veeam_commands.toml
* Update credential_access_veeam_backup_dll_imageload.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update credential_access_veeam_commands.toml
* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 779fa7710d
2024-03-21 13:09:29 +00:00
f0a06bc56b
[Rule Tuning] Potential Reverse Shell via UDP ( #3508 )
...
(cherry picked from commit a6028b43b3
2024-03-21 12:56:41 +00:00
88181b0f80
[Rule Tuning] SMTP on Port 26/TCP ( #3521 )
...
(cherry picked from commit 07abc19932
2024-03-19 21:03:05 +00:00
078c86ab40
[Rule Tuning] Tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager' ( #3494 )
...
* tuning 'First Time Seen AWS Secret Value Accessed in Secrets Manager'
* reverting lookback window
* missing word in description
(cherry picked from commit f6e79944f2
2024-03-15 23:17:27 +00:00
0a729b77a4
Beaconing - Add whitelist to rules, with some more processes ( #3497 )
...
* Add whitelist to rules, with some more processes
* Update rules exceptionlist
* Update exceptions
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit a4ecfe3ccf
2024-03-14 19:56:12 +00:00
a08cbc7390
[Rule Tuning] Guided Onboarding Rule ( #3502 )
...
* [Rule Tuning] Guided Onboarding Rule
* Update guided_onboarding_sample_rule.toml
* Revert "Update guided_onboarding_sample_rule.toml"
This reverts commit 18721277df7416534440a4708fa3b060f2775a27.
* Update guided_onboarding_sample_rule.toml
* Update guided_onboarding_sample_rule.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit c610e19114
2024-03-14 14:04:49 +00:00
4fec1a766e
[New Rules] mprotect() RWX Binary Execution ( #3507 )
...
* [New Rules] mprotect() RWX Binary Execution
* Added rule names
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
(cherry picked from commit 4179180fcb
2024-03-13 21:18:29 +00:00
22ed934946
[Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 ( #3501 )
...
* Initial commit
* Date bump
(cherry picked from commit f5254f3b5e
2024-03-13 13:33:15 +00:00
11168606d5
[Tuning] event.action and event.type change ( #3495 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9f8638a004
2024-03-13 09:16:45 +00:00
9101dfc064
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
(cherry picked from commit 458e67918a
2024-03-11 12:15:22 +00:00
aebe64a42b
[Rule Tuning] DR Performance-Poor Rules ( #3399 )
...
* [Rule Tuning] DR Performance
* .
* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml
* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml
* Update persistence_startup_folder_scripts.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit edf4da8526
2024-03-11 11:56:05 +00:00
6241e8c7b4
fix: correct the provider for the create, delete and modify routes in EC2 VPCs ( #3500 )
...
(cherry picked from commit 709cfddcbe
2024-03-08 19:07:31 +00:00
b180502a19
[Tuning] Linux Cross-Platform Tuning - Part 1 ( #3468 )
...
* [Tuning] Linux Cross-Platform Tuning - Part 1
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a438052ff3
2024-03-07 17:26:26 +00:00
28220d0ccd
[Tuning] Linux DR Tuning - Part 12 ( #3464 )
...
* [Tuning] Linux DR Tuning - Part 12
* Update persistence_shared_object_creation.toml
* Update privilege_escalation_dac_permissions.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Min stack rule-bending test
* formatting fix
* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"
This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Revert "Min stack rule-bending test"
This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 9c4ba4559d
2024-03-07 17:15:18 +00:00
a6c223de70
[Tuning] Linux BBR Tuning - Part 1 ( #3469 )
...
* [Tuning] Linux BBR Tuning - Part 1
* [Tuning] Linux BBR Tuning - Part 1
* Update defense_evasion_processes_with_trailing_spaces.toml
* Update defense_evasion_processes_with_trailing_spaces.toml
* One more tuning
* Update collection_linux_suspicious_clipboard_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 3fd0358b73
2024-03-07 16:24:36 +00:00
124e8c836c
[Tuning] Linux DR Tuning - Part 14 ( #3467 )
...
* [Tuning] Linux DR Tuning - Part 14
* Update privilege_escalation_sudo_cve_2019_14287.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ed4a7fc15b
2024-03-07 15:51:17 +00:00
dfaed78e75
[Tuning] Linux DR Tuning - Part 13 ( #3465 )
...
* [Tuning] Linux DR Tuning - Part 13
* updated date bump
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update privilege_escalation_netcon_via_sudo_binary.toml
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update rules/linux/privilege_escalation_shadow_file_read.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 60fda8d756
2024-03-07 15:33:51 +00:00
09fe63d18f
[Tuning] Linux DR Tuning - Part 11 ( #3463 )
...
* [Tuning] Linux DR Tuning - Part 11
* Update persistence_message_of_the_day_creation.toml
* Update persistence_message_of_the_day_execution.toml
* Update rules/linux/persistence_message_of_the_day_execution.toml
* Update persistence_linux_user_added_to_privileged_group.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ef66c57030
2024-03-07 11:26:39 +00:00
68cfb3dfde
[Tuning] Linux DR Tuning - Part 10 ( #3462 )
...
* [Tuning] Linux DR Tuning - Part 10
* updated_date bump
* Update persistence_kworker_file_creation.toml
* Update persistence_linux_backdoor_user_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a76a3755d9
2024-03-07 10:50:21 +00:00
6141bc3dd7
[Tuning] Linux DR Tuning - Part 9 ( #3461 )
...
* [Tuning] Linux DR Tuning - Part 9
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update lateral_movement_ssh_it_worm_download.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit fd84573212
2024-03-07 10:39:28 +00:00
Ruben Groenewoud