4aa6c4e715
[Rule Tuning] Untrusted Driver Loaded ( #5061 )
...
* [Rule Tuning] Untrusted Driver Loaded
* Update defense_evasion_untrusted_driver_loaded.toml
2025-09-05 06:12:30 -07:00
9ee15a13b0
[Rule Tuning] Connection to Commonly Abused Web Services ( #5060 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2025-09-04 11:58:13 -07:00
0bbad3bbf8
Update defense_evasion_modify_ownership_os_files.toml ( #5051 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-02 08:18:35 -07:00
8d2ea9220b
[New Rules] Potential Relay Attack against a Computer Account ( #4826 )
...
* [New Rules] Potential Relay Attack against a Computer Account Rules
* update description
* .
* add min_stack
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-01 10:07:37 -07:00
464fb3951e
[Tuning] Unusual Network Activity from a Windows System Binary ( #5048 )
2025-09-01 22:17:53 +05:30
a31b3a36ad
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 ( #5025 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10
* Update rules/windows/execution_shared_modules_local_sxs_dll.toml
* pending adjustments
* Update execution_windows_cmd_shell_susp_args.toml
2025-09-01 09:30:21 -07:00
a62ee7a8a2
[New] Active Directory Discovery using AdExplorer ( #5047 )
...
* [New] Active Directory Discovery using AdExplorer
* Update discovery_ad_explorer_execution.toml
* Update rules/windows/discovery_ad_explorer_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_ad_explorer_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-09-01 16:58:22 +01:00
40794368a7
[New] Connection to Common Large Language Model Endpoints ( #5044 )
...
* [New] Connection to Common Large Language Model Endpoints
* [New] Connection to Common Large Language Model Endpoints
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_common_llm_endpoint.toml
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-09-01 16:47:31 +01:00
ba354ceff9
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 ( #5038 )
2025-09-01 08:25:52 -07:00
93ac471574
Monthly Schema Updates ( #5046 )
2025-09-01 20:42:42 +05:30
61af3e801d
[New] Potential System Tampering via File Modification ( #5043 )
...
* [New] Potential System Tampering via File Modification
* Update impact_mod_critical_os_files.toml
* Update rules/windows/impact_mod_critical_os_files.toml
* Create defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-01 15:52:26 +01:00
e1205cb5c5
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 ( #5001 )
...
* [New/Tuning] Windows Top Threats 2024/2025
1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.
2) MSIEXEC:
* Update defense_evasion_mshta_susp_child.toml
* Update defense_evasion_script_via_html_app.toml
* Update defense_evasion_mshta_susp_child.toml
* Create defense_evasion_msiexec_remote_payload.toml
* Update defense_evasion_msiexec_remote_payload.toml
* ++
* Create execution_scripting_remote_webdav.toml
* Create execution_windows_fakecaptcha_cmd_ps.toml
* Create command_and_control_rmm_netsupport_susp_path.toml
* Update command_and_control_rmm_netsupport_susp_path.toml
* ++
* Update execution_jscript_fake_updates.toml
* Create command_and_control_dns_susp_tld.toml
* ++
* Create command_and_control_remcos_rat_iocs.toml
* Update execution_windows_fakecaptcha_cmd_ps.toml
* Update execution_scripts_archive_file.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* ++
* Create execution_nodejs_susp_patterns.toml
* Update execution_nodejs_susp_patterns.toml
* Update execution_windows_fakecaptcha_cmd_ps.toml
* Fix unit test errors
* Update defense_evasion_network_connection_from_windows_binary.toml
* Add system index
* Add tag
* Update rules/windows/command_and_control_remcos_rat_iocs.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Remove duplicate
* Update defense_evasion_msiexec_child_proc_netcon.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Create credential_access_browsers_unusual_parent.toml
* Update credential_access_browsers_unusual_parent.toml
* ++
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_remcos_rat_iocs.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_mshta_susp_child.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_windows_phish_clickfix.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update discovery_host_public_ip_address_lookup.toml
* Update execution_windows_phish_clickfix.toml
* Update rules/windows/defense_evasion_script_via_html_app.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_browsers_unusual_parent.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_nodejs_susp_patterns.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update discovery_host_public_ip_address_lookup.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_script_via_html_app.toml
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-01 15:41:51 +01:00
b2bc6021f2
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths ( #5037 )
...
* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths
* ++
* Update defense_evasion_workfolders_control_execution.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
2025-09-01 05:31:12 -07:00
dd918b1f80
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #5039 )
2025-09-01 05:09:31 -07:00
79daf3fc68
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 ( #5028 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 13:28:14 -07:00
ccedd45df1
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 ( #5030 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 13:07:38 -07:00
86dd350579
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 ( #5029 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:50:59 -07:00
7eec833ec8
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 ( #5027 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12
* Update rules/windows/persistence_app_compat_shim.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:40:03 -07:00
41dd521546
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 ( #5026 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:28:49 -07:00
9c08869575
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 ( #5024 )
2025-08-28 12:15:25 -07:00
be18b4db16
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 ( #5023 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_wdac_policy_by_unusual_process.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:04:55 -07:00
48dfb759cd
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 ( #5022 )
2025-08-28 11:51:45 -07:00
1af98a6170
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 ( #5021 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_proxy_execution_via_msdt.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 11:37:15 -07:00
b91e73714e
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 ( #5020 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5
* Update defense_evasion_ms_office_suspicious_regmod.toml
2025-08-28 11:26:09 -07:00
85a0d27b13
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 ( #5019 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 11:05:42 -07:00
0fbf57c1d9
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3 ( #5018 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 3
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_file_creation_mult_extension.toml
* Update rules/windows/defense_evasion_file_creation_mult_extension.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 10:55:21 -07:00
8ab98458fa
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2 ( #5017 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 2
* Update defense_evasion_code_signing_policy_modification_registry.toml
* Update defense_evasion_communication_apps_suspicious_child_process.toml
* Update rules/windows/defense_evasion_communication_apps_suspicious_child_process.toml
* Update defense_evasion_communication_apps_suspicious_child_process.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 10:40:34 -07:00
00c6e785cb
[Rule Tuning] Windows - Small Adjusts for Compatibility ( #5032 )
2025-08-28 10:20:13 -07:00
9c2ceb2bd7
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1 ( #5016 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 1
* Update defense_evasion_amsi_bypass_dllhijack.toml
* Update command_and_control_outlook_home_page.toml
* Update command_and_control_outlook_home_page.toml
* Update defense_evasion_amsi_bypass_dllhijack.toml
* Update rules/windows/command_and_control_port_forwarding_added_registry.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 06:43:09 -07:00
9dfc42aa1d
[Tuning] Connection to Commonly Abused Web Services - alerts JetBrains to GH ( #4973 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-08-18 17:21:04 +01:00
58f62fd138
[Rule Tuning] Suspicious Windows Powershell Arguments ( #4961 )
2025-08-18 09:02:04 -07:00
0507bcd150
[Rule Tuning] ES|QL PowerShell Rules ( #4984 )
2025-08-18 08:44:18 -07:00
273650d746
[Rule Tuning] Potential RemoteMonologue Attack ( #4967 )
...
* [Rule Tuning] Potential RemoteMonologue Attack
* Update defense_evasion_regmod_remotemonologue.toml
2025-08-18 08:22:53 -07:00
c28b6d84b5
Investigation guides Update ( #4990 )
2025-08-18 20:36:46 +05:30
5f7b821e12
[Rule Tuning] Suspicious PrintSpooler Service Executable File Creation ( #4976 )
...
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-08-18 06:29:28 -07:00
36b33e2c13
Update persistence_services_registry.toml ( #4989 )
2025-08-18 14:05:25 +01:00
c8ee4c8ce3
[New Rule] Potential Web Shell ASPX File Creation ( #4939 )
...
* [New Rule] Potential Web Shell ASPX File Creation
* Update persistence_web_shell_aspx_write.toml
* Update persistence_web_shell_aspx_write.toml
2025-08-15 12:09:06 -03:00
532b68cc93
[Rule Tuning] PowerShell Script Block Logging Disabled ( #4980 )
2025-08-14 17:29:45 -03:00
8f441a7191
[Rule Tuning] Creation or Modification of Root Certificate ( #4970 )
...
* [Rule Tuning] Creation or Modification of Root Certificate
* Update defense_evasion_create_mod_root_certificate.toml
* Update rules/windows/defense_evasion_create_mod_root_certificate.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-08-13 09:41:57 -03:00
1dd1bb8f1e
[Rule Tuning] Fixes FPs related to a process.args_count bug ( #4971 )
2025-08-13 08:46:46 -03:00
b28338c680
[Rule Tuning] ESQL Query Field Dynamic Field Standardization ( #4912 )
...
* adjusted Potential Widespread Malware Infection Across Multiple Hosts
* adjusted Microsoft Azure or Mail Sign-in from a Suspicious Source
* adjusted AWS EC2 Multi-Region DescribeInstances API Calls
* adjusted AWS Discovery API Calls via CLI from a Single Resource
* adjusted AWS Service Quotas Multi-Region Requests
* adjusted AWS EC2 EBS Snapshot Shared or Made Public
* adjusted AWS S3 Bucket Enumeration or Brute Force
* adjusted AWS EC2 EBS Snapshot Access Removed
* adjusted Potential AWS S3 Bucket Ransomware Note Uploaded
* adjusted AWS S3 Object Encryption Using External KMS Key
* adjusted AWS S3 Static Site JavaScript File Uploaded
* adjusted AWS Access Token Used from Multiple Addresses
* adjusted AWS Signin Single Factor Console Login with Federated User
* adjusted AWS IAM AdministratorAccess Policy Attached to Group
* adjusted AWS IAM AdministratorAccess Policy Attached to Role
* adjusted AWS IAM AdministratorAccess Policy Attached to User
* adjusted AWS Bedrock Invocations without Guardrails Detected by a Single User Over a Session
* adjusted AWS Bedrock Guardrails Detected Multiple Violations by a Single User Over a Session
* adjusted AWS Bedrock Guardrails Detected Multiple Policy Violations Within a Single Blocked Request
* adjusted Unusual High Confidence Content Filter Blocks Detected
* adjusted Potential Abuse of Resources by High Token Count and Large Response Sizes
* AWS Bedrock Detected Multiple Attempts to use Denied Models by a Single User
* Unusual High Denied Sensitive Information Policy Blocks Detected
* adjusted Unusual High Denied Topic Blocks Detected
* adjusted AWS Bedrock Detected Multiple Validation Exception Errors by a Single User
* adjusted Unusual High Word Policy Blocks Detected
* adjusted Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties
* adjusted Azure Entra MFA TOTP Brute Force Attempts
* adjusted Microsoft Entra ID Sign-In Brute Force Activity
* adjusted Microsoft Entra ID Exccessive Account Lockouts Detected
* adjusted Microsoft 365 Brute Force via Entra ID Sign-Ins
* deprecated Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source
* adjusted Microsoft Entra ID Session Reuse with Suspicious Graph Access
* adjusted Suspicious Microsoft OAuth Flow via Auth Broker to DRS
* adjusted Potential Denial of Azure OpenAI ML Service
* adjusted Azure OpenAI Insecure Output Handling
* adjusted Potential Azure OpenAI Model Theft
* adjusted M365 OneDrive Excessive File Downloads with OAuth Token
* adjusted Multiple Microsoft 365 User Account Lockouts in Short Time Window
* adjusted Potential Microsoft 365 User Account Brute Force
* adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code
* adjusted Multiple Device Token Hashes for Single Okta Session
* adjusted Multiple Okta User Authentication Events with Client Address
* adjusted Multiple Okta User Authentication Events with Same Device Token Hash
* adjusted High Number of Okta Device Token Cookies Generated for Authentication
* adjusted Okta User Sessions Started from Different Geolocations
* adjusted High Number of Egress Network Connections from Unusual Executable
* adjusted Unusual Base64 Encoding/Decoding Activity
* adjusted Potential Port Scanning Activity from Compromised Host
* adjusted Potential Subnet Scanning Activity from Compromised Host
* adjusted Unusual File Transfer Utility Launched
* adjusted Potential Malware-Driven SSH Brute Force Attempt
* adjusted Unusual Process Spawned from Web Server Parent
* adjusted Unusual Command Execution from Web Server Parent
* adjusted Rare Connection to WebDAV Target
* adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences
* adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
* adjusted Unusual File Creation by Web Server
* adjusted Potential PowerShell Obfuscation via High Special Character Proportion
* adjusted Potential Malicious PowerShell Based on Alert Correlation
* adjusted Potential PowerShell Obfuscation via Character Array Reconstruction
* adjusted Potential PowerShell Obfuscation via String Reordering
* adjusted Potential PowerShell Obfuscation via String Concatenation
* adjusted Potential PowerShell Obfuscation via Reverse Keywords
* adjusted PowerShell Obfuscation via Negative Index String Reversal
* adjusted Dynamic IEX Reconstruction via Method String Access
* adjusted Potential Dynamic IEX Reconstruction via Environment Variables
* adjusted Potential PowerShell Obfuscation via High Numeric Character Proportion
* adjusted Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation
* adjusted Rare Connection to WebDAV Target
* adjusted Potential PowerShell Obfuscation via Invalid Escape Sequences
* adjusted Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion
* adjusted Potential PowerShell Obfuscation via Character Array Reconstruction
* adjusted Potential PowerShell Obfuscation via High Special Character Proportion
* adjusted Potential PowerShell Obfuscation via Special Character Overuse
* adjusted Potential PowerShell Obfuscation via String Reordering
* adjusted Suspicious Microsoft 365 UserLoggedIn via OAuth Code
* adjusted fields that were inconsistent
* adjusted additional fields
* adjusted esql to Esql
* adjusted several rules for common field names
* updating rules
* updated dates
* updated dates
* updated ESQL fields
* lowercase all functions and logical operators
* adjusted dates for unit tests
* Update Esql_priv to Esql_temp as these don't hold PII
* PowerShell adjustments
* Make query comments consistent
* update comment
* reverted 2856446a-34e6-435b-9fb5-f8f040bfa7ed
* Update rules/windows/discovery_command_system_account.toml
* removed dot notation
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-08-05 19:35:41 -04:00
2c2b15368c
Update latest integration manifests and schema and investigation guides ( #4957 )
2025-08-04 19:30:01 +05:30
04ca2c8128
[New Rule] Unusual Web Config File Access ( #4927 )
...
* [New Rule] Unusual Web Config File Access
* Update credential_access_web_config_file_access.toml
2025-08-01 09:35:08 -03:00
3de9456197
[Rule Tuning] Script Execution via Microsoft HTML Application ( #4950 )
2025-08-01 07:55:14 -03:00
7175b3ab06
Add investigation guides for detection rules ( #4886 )
2025-07-08 00:25:42 +05:30
9b292b97ea
Prep 8.19/9.1 ( #4869 )
...
* Prep 8.19/9.1 Release
* Download Beats Schema
* Download API Schema
* Download 8.18.3 Beats Schema
* Download Latest Integrations manifest and schema
* Comment old schemas
* Update Patch version
2025-07-07 11:27:48 -04:00
782605ae07
[Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts ( #4867 )
...
* [Rule Tuning] PowerShell Windows Defender ATP DataCollection Scripts
* bum updated_date
* Fix DSL exception
2025-07-07 10:56:13 -03:00
d42128cdbf
[Rule Tuning] Windows Misc Tuning ( #4870 )
...
* [Rule Tuning] Windows Misc Tuning
* Update execution_command_shell_started_by_svchost.toml
* bump
* Update rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_persistence_account_tokenfilterpolicy.toml
2025-07-07 10:32:12 -03:00
4fb31c7ea6
Update command_and_control_new_terms_commonly_abused_rat_execution.toml ( #4842 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-06-25 12:39:48 -03:00
82708867e3
[Rule Tuning] First Time Seen NewCredentials Logon Process ( #4844 )
...
* [Rule Tuning] First Time Seen NewCredentials Logon Process
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-06-24 12:25:56 -03:00
Jonhnathan