41c915c42e
expect shell evasion threat ( #1817 )
...
* expect shell evasion threat
* expect shell evasion threat
* Update rules/linux/defense_evasion_expect_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 334aa12aaf
2022-03-07 20:26:43 +00:00
4cf4a66a4b
nice shell evasion threat ( #1820 )
...
* nice shell evasion threat
* Update rules/linux/defense_evasion_nice_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 2b6a357a4b
2022-03-07 20:02:05 +00:00
aaf1ab6bb2
[Rule Tuning] Rule description updates ( #1811 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit f9503f2096
2022-03-07 14:06:37 +00:00
c4fea2fc00
[New Rule] Linux Restricted Shell Breakout via the Vi command ( #1809 )
...
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 2a82f18e43
2022-03-04 19:48:40 +00:00
ad2c069baa
[New Rule] Potential Remote Credential Access via Registry ( #1804 )
...
* [New Rule] Potential Remote Credential Access via Registry
4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).
Example of data :
* Delete workspace.xml
* Update credential_access_remote_sam_secretsdump.toml
* Update credential_access_remote_sam_secretsdump.toml
* add non ecs field
* Update non-ecs-schema.json
* Update credential_access_remote_sam_secretsdump.toml
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit a6582351b5
2022-03-03 15:31:20 +00:00
a1e28ef4ff
[New Rule] Execution control.exe via WorkFolders.exe ( #1806 )
...
* added detection rule defense_evasion_workfolders_control_execution.toml related to issue #1586
* updated rule authors
* added references to the rule
* added timestamp override variable to the rule
* adjusted value of timestamp override from event_ingested to event.ingested
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* linted toml file as suggested
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 202b9c7479
2022-03-03 14:24:27 +00:00
82331f05d1
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches ( #1807 )
...
* Update script_block queries
* Update execution_posh_psreflect.toml
(cherry picked from commit 5c477849fe
2022-03-03 10:39:59 +00:00
7bfd5622f3
find shell evasion threat( #1801 )
...
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 283cbca702
2022-03-02 16:32:49 +00:00
139d56ee86
apt binary shell evasion threat ( #1792 )
...
* new:rule:issue-1782 Adding a new Rule for apt binary shell evasion threat
* new:rule:issue-1782 Review Comments
* Update rules/linux/apt_binary_shell_evasion.toml
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* new:rule:issue-1782 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c9dd047966
2022-03-02 16:30:22 +00:00
a645bc7bbb
awk binary shell evasion threat ( #1794 )
...
* new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat
* Update rules/linux/awk_binary_shell_evasion.toml
* Update rules/linux/awk_binary_shell_evasion.toml
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* new:rule:issue-1785 Review Comments
* new:rule:issue-1785 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit e004a2f4a5
2022-03-02 16:26:37 +00:00
56997556f5
env binary shell evasion threat ( #1793 )
...
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* Update rules/linux/env_binary_shell_evasion.toml
* Update rules/linux/env_binary_shell_evasion.toml
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
* Update rules/linux/privilege_escalation_env_binary.toml
* new:rule:issue-1786 Review Comments
* Update rules/linux/defense_evasion_env_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 758784d4d5
2022-03-02 16:19:45 +00:00
36369ebf96
[New Rule] Registry Hive File Creation via SMB ( #1779 )
...
* [New Rule] Registry Hive File Creation via SMB
Identifies the creation or modification of a medium size registry hive file via the SMB protocol :
* Update credential_access_moving_registry_hive_via_smb.toml
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f48144c6b3
2022-03-02 09:14:52 +00:00
31f75bd7e6
Update impact_azure_service_principal_credentials_added.toml ( #1802 )
...
(cherry picked from commit 8a9b52f7e1
2022-03-02 08:38:49 +00:00
73b3bec457
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1c50f35aed
2022-03-02 00:41:56 +00:00
aab23636e8
[New Rule] LSASS Memory Dump ( #1784 )
...
* Add new event_data fields (ObjectName, ProcessName)
* Add detection for LSASS Memory Dump Handle Access
* Reference an example of 120089 AccessMask presence
* modify query to increase performance and update the description to remove ("This rule").
* expand path to Elastic Agent ensure syntax consistency
* Optimize rule based on AccessMaskDescription and additional False Positives.
* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used
* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription
* cleanup
(cherry picked from commit aa7d79cc53
2022-02-24 13:16:42 +00:00
99c559f870
Update persistence_azure_conditional_access_policy_modified.toml ( #1788 )
...
(cherry picked from commit 8664ef59f4
2022-02-22 18:29:00 +00:00
678f7cb93c
[Rule Tuning] Update rules based on docs review ( #1778 )
...
* Update rules based on docs review
* trivial change to trigger CLA
* undo changes from triggering build
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit dec4243db0
2022-02-16 16:44:51 +00:00
f571eb970d
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id ( #1773 )
...
* Remove Windows Integration & Winlogbeat Support
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3227d65cd8
2022-02-16 02:07:27 +00:00
cd59ed785a
[Rule Tuning] Potential Command and Control via Internet Explorer ( #1771 )
...
* Use user.name on the sequence instead of user.id
* Update command_and_control_iexplore_via_com.toml
* Remove min_stack and comment "with runs"
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 03f60cc11c
2022-02-16 02:00:28 +00:00
ef78093d88
[New Rule] Potential Credential Access via DCSync ( #1763 )
...
* "Potential Credential Access via DCSync" Initial Rule
* replace unintentional bracket removal
* json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 42436d3364
2022-02-16 00:42:49 +00:00
9885be0f59
Modified to use Integrity fields instead of user.id ( #1772 )
...
(cherry picked from commit fd678dc5cb
2022-02-16 00:25:10 +00:00
fd3d2708a1
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes ( #1775 )
...
* Initial Review of Sysmon Registry Rules
* Update defense_evasion_sip_provider_mod.toml
(cherry picked from commit 9bbe26fec0
2022-02-15 12:59:15 +00:00
3b97ee423b
Update discovery_net_command_system_account.toml ( #1769 )
...
(cherry picked from commit c646a18efb
2022-02-14 15:13:55 +00:00
fbcc7433ad
[New Rule] Windows Service Installed via an Unusual Client ( #1759 )
...
* [New Rule] Windows Service Installed via an Unusual Client
https://www.x86matthew.com/view_post?id=create_svc_rpc
* Update non-ecs-schema.json
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add ```s
* Update privilege_escalation_windows_service_via_unusual_client.toml
* add missing comma to schema
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 326aa64ff6
2022-02-11 20:59:20 +00:00
c59429719d
Modification of AmsiEnable Registry Key - Sysmon support ( #1760 )
...
(cherry picked from commit 9c56b00429
2022-02-11 20:51:51 +00:00
782b6c1d0e
Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml ( #1757 )
...
(cherry picked from commit aa9fedd18d
2022-02-11 17:18:12 +00:00
4fe57055a0
[Rule Tuning] Fix IM query ( #1767 )
...
* Fix IM quer
* Add update date
(cherry picked from commit b1121da237
2022-02-10 18:32:37 +00:00
6b1b8587e1
[Documentation] Fix O365 Integration name on Rules and Unit Test ( #1684 )
...
* Adjust Integration Name
* Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
* Update integration name
* .
* Case
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 5a16a222ad
2022-02-09 22:06:05 +00:00
b4863ddde5
Move misplaced rule to proper folder ( #1756 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 97835bc5c5
2022-02-04 20:38:01 +00:00
2fe12168bc
[New Rule] Potential Shadow Credentials added to AD Object ( #1729 )
...
* Potential Shadow Credentials added to AD Object Initial Rule
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_shadow_credentials.toml
* Add AD tag
* Update credential_access_shadow_credentials.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 85b72256c2
2022-02-04 18:51:25 +00:00
df2a844584
[New Rule] PowerShell Script Block Logging Disabled ( #1749 )
...
* PowerShell Script Block Logging Disabled
* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_disable_posh_scriptblocklogging.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7dac52f1cf
2022-02-04 18:46:55 +00:00
7e25f14766
Update credential_access_mod_wdigest_security_provider.toml ( #1751 )
...
(cherry picked from commit 40095d95bf
2022-02-04 18:40:39 +00:00
6ed9769eb6
[New Rule] AdminSDHolder Backdoor ( #1745 )
...
* AdminSDHolder Backdoor
* Update rules/windows/persistence_ad_adminsdholder.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9ce5d0b92a
2022-02-01 13:17:28 +00:00
58e0584e73
[New Rule] KRBTGT Delegation Backdoor ( #1743 )
...
* KRBTGT Delegation Backdoor
* Update persistence_msds_alloweddelegateto_krbtgt.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* refresh rule_id with new uuid
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d949fefe0c
2022-02-01 13:11:57 +00:00
f661eca2eb
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #1741 )
...
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml
* fix year
(cherry picked from commit 26d5bad914
2022-02-01 00:04:37 +00:00
4e9432a563
[New Rule] Kerberos Preauthentication Disabled for User ( #1717 )
...
* Initial "Kerberos Preauthentication Disabled for User" Rule
* Update credential_access_disable_kerberos_preauth.toml
* Update credential_access_disable_kerberos_preauth.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Add config directives
* Update rules/windows/credential_access_disable_kerberos_preauth.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 6e3f4b2824
2022-01-31 15:34:02 +00:00
fa09b26d59
[New Rule] SeEnableDelegationPrivilege assigned to User ( #1737 )
...
* SeEnableDelegationPrivilege assigned to User
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix logging policy name
* Update rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* lint
* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 25ec71579d
2022-01-31 15:25:23 +00:00
948e484070
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 72c64de3f5
2022-01-28 19:43:39 +00:00
c05b5dc5f9
[Rule Tuning] Change default time query for rounding days ( #1713 )
...
* Change default time query for rounding days
* Udpate date
* Revert rule updated_data
* Restore threat_query
(cherry picked from commit 87c7210aab
2022-01-28 19:36:44 +00:00
c1c239e1ec
[New Rule] PowerShell Kerberos Ticket Request ( #1715 )
...
* PowerShell Kerberos Ticket Request Initial Rule
* bump date
(cherry picked from commit edd0df5e1a
2022-01-27 19:38:40 +00:00
012e88601e
[New Rule] Email Reported by User as Malware or Phish ( #1699 )
...
* Email Reported by User as Malware or Phish Initial Rule
* Update initial_access_o365_user_reported_phish_malware.toml
* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 189c2b152c
2022-01-27 19:33:20 +00:00
239f7f9324
[New Rule] MS Office Macro Security Registry Modifications ( #1696 )
...
* "MS Office Macro Security Registry Modifications" Initial Rule
* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b6cbdbd416
2022-01-27 19:27:12 +00:00
c300fce9f7
[New Rule] OneDrive Malware File Upload ( #1693 )
...
* "OneDrive Malware File Upload" Initial Rule
* bump severity
(cherry picked from commit f7bc13b437
2022-01-27 19:22:11 +00:00
b0b52abbd5
[New Rule] SharePoint Malware File Upload ( #1691 )
...
* "SharePoint Malware File Upload" Initial Rule
* s/onedrive/sharepoint
* bump severity
(cherry picked from commit 1676844640
2022-01-27 19:15:20 +00:00
c8671b4a1e
[New Rule] Potential Privileged Escalation via SamAccountName Spoofing ( #1660 )
...
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac
EQL
```
iam where event.action == "renamed-user-account" and
/* machine account name renamed to user like account name */
winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```
* Create privilege_escalation_samaccountname_spoofing_attack.toml
* Update non-ecs-schema.json
* extra ref
* toml linted
* ref for MS kb5008102
* more ref
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 26fb8e83a5
2022-01-27 14:49:15 +00:00
71c382b1f5
[New Rule] Global Administrator Role Assigned ( #1686 )
...
* Initial Global Administrator Role Assigned Rules
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 14252d45ee
2022-01-27 12:55:30 +00:00
15d6244331
Create credential_access_mfa_push_brute_force.toml ( #1682 )
...
(cherry picked from commit 7e4325dd7a
2022-01-27 12:40:11 +00:00
b753a05c72
[Rule Tuning] GCP Kubernetes Rolebindings Created or Patched ( #1718 )
...
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 38ae64f729
2022-01-27 12:34:30 +00:00
a5b1ac9e0e
Update credential_access_suspicious_lsass_access_memdump.toml ( #1714 )
...
(cherry picked from commit 1699f50beb
2022-01-27 12:30:41 +00:00
45946dbf3e
Update source.ip condition ( #1712 )
...
(cherry picked from commit 4ac824192f
2022-01-27 12:27:38 +00:00
shashank-elastic