4edef2ea80
[FR][DAC] Import Rules Verbose Message ( #4093 )
...
* Draft Verbose Message
* Fix Linting
* Made more descriptive
* Updated for readability
2024-10-09 17:19:59 -04:00
281926052c
[Rule Tuning] Add METADATA checks for non-aggregate ES|QL queries and fix existing ( #4126 )
...
* fixed existing rules;added query checks
* fixed flake errors
* added re.DOTALL to regex pattern, adjusted pattern slightly; reverted some rules
* removed valueError and replaced ValidationError
* adjusted validation error output based on feedback
* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_user_created_access_keys_for_another_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added space for failure
* updated to use re.compile
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-10-09 15:25:36 -04:00
7674229f49
[New Rule] Successful Application SSO from Rare Unknown Client Device ( #4141 )
...
* new rule 'Successful Application SSO from Rare Unknown Client Device'
* removing extra newlines
* adjusted tags; adjusted risk
2024-10-07 12:11:57 -04:00
50e23ba242
[Hunting] Re-factor Hunting Library Code ( #4085 )
...
* updating python code for hunting library
* fixed okta queries; added MITRE search capability
* fixed hunting unit test imports
* fixed duplicate UUID; fixed duplicate index entry bug
* fixed technique finding sub-technique in search
* added more unit tests
* linted
* flake errors addressed; fixed unit test import; fixed markdown generate bug
* added description for generate-markdown command
* updated README
* adjusted YAML index, adjusted code for index changes
* adjusted relative imports; updated CODEOWNERS
* adding updates; moving to different branch for main dependencies
* finished run-query command; made some code adjustments
* removed some comments
* revised makefile; fixed unit tests; adjusted detection rules pyproject
* updated README
* updated README
* adjusted unit tests; adjusted hunt guidelines; updated makefile; adjusted several commands
* adjusted package to be more object-oriented
* removed unused variable
* Add simple breakdown stats
* addressed feedback; added keyword option for search
* Update hunting/README.md
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/etc/test_hunting_cli.bash
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
* addressing feedback
* addressed feedback
* added message for unknown index; fixed function call
* fixed search command
* fixed flake error
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-10-03 12:47:40 -04:00
45a347580c
[Rule Tuning] Fixing Incorrect ES|QL Operator Use - AWS Service Quotas Multi-Region GetServiceQuota Request ( #4118 )
...
* fixing single equal operator
* Additional data source tag for consistency
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-10-02 15:50:22 -04:00
51859e57f3
Sync RTA Base64 or Xxd Decode Argument Evasion ( #4113 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-01 23:10:34 +05:30
e6646790d5
Sync RTA Suspicious Echo Execution ( #4110 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-01 22:57:13 +05:30
264938236c
Sync RTA Hexadecimal Payload Execution ( #4109 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-01 22:47:04 +05:30
9e539e82f4
Sync RTA Potential Process Injection via dd ( #4108 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-10-01 22:36:56 +05:30
37ba89bc3e
Sync RTA Linux Telegram API Request ( #4107 )
2024-10-01 22:28:29 +05:30
80143b23b2
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4116 )
2024-10-01 18:14:03 +05:30
a68a404bd8
Update defense_evasion_posh_assembly_load.toml ( #4112 )
2024-10-01 17:30:38 +05:30
5b41bbd5e9
[Tuning] Updated references ( #4114 )
2024-10-01 08:43:14 -03:00
ef4e433d97
[Rule Tuning] Ignore "Not Available" in o365.audit.UserId for Microsoft 365 Rules ( #4105 )
...
* tuning M365 impossible travel activity rules
* added additional filters for user type logins
* adjusted updated date
2024-09-28 18:13:03 -04:00
1d1b2eb90f
Update command_and_control_tunnel_vscode.toml ( #4104 )
2024-09-28 11:46:46 +01:00
ef95a541f4
Fix GenAI Request Model ID Field ( #4111 )
2024-09-27 21:59:02 +05:30
a3e89a7fab
[New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) ( #4106 )
...
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE)
* Description update
* Investigation Guide Update
2024-09-27 14:48:03 +02:00
b80d8342d6
[Docs | Rule Tuning] Add blog references to rules ( #4097 )
...
* [Docs | Rule Tuning] Add blog references to rules
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from code review
* Update google_workspace blog references
* add okta blog references
* Update dates
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-25 15:19:20 -05:00
0ed6b3f0a2
[Rule Tuning] AWS STS GetCallerIdentity API Called for the First Time ( #4094 )
...
Tuning this rule to exclude identity type `AssumedRole` as this is too common a behavior, often automated, and used to verify current identity and role assumptions. Therefore it is not as indicative of suspicious behavior when used by assumed roles. This rule will still trigger for `IAM User` and `Federated User` identity types. In telemetry this change reduces alerts from ~240,000 to 43 in the last 30 days.
2024-09-24 09:32:12 -04:00
fab842b414
Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md ( #4091 )
...
* Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md
* Update docs/ATT&CK-coverage.md
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-09-19 23:25:32 +05:30
e2f1fcefa8
Add flag to update the docs/ATT&CK-coverage.md with markdown URL(s) ( #4077 )
2024-09-19 23:12:01 +05:30
5e0fb4a63e
[Tuning] Add logs-panw.panos index to Network rules ( #4089 )
...
* [Tuning] Add logs-panw.panos index to Network rules
https://github.com/elastic/detection-rules/issues/3998
This PR adds to the PANOS traffic index `.ds-logs-panw.panos-default-*` to the network rules using fields that are compatible.
* add tag and integration
* Update command_and_control_fin7_c2_behavior.toml
* Build Manifest and Schema for panw integration
* Update definitions.py
* Update definitions.py
* Fix definitions declaration
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2024-09-19 08:01:44 +01:00
df31c002ca
[Bug] Handle formatting empty list ( #4086 )
2024-09-17 13:25:17 -05:00
def2a9ef09
[New] ROT encoded Python Script Execution ( #4084 )
...
* [New] ROT encoded Python Script Execution
* Update defense_evasion_encoding_rot13_python_script.toml
* ++
* Update defense_evasion_encoding_rot13_python_script.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-17 16:52:46 +01:00
9181c00586
[New Hunt] Add Initial Okta Hunting Queries ( #4064 )
...
* adding new Okta hunting queries
* query format changes
* adding docs
* added query for mfa bombing
* adding remainder hunting queries
* adjusted incorrect hunt
* updated queries
* updated queries based on Samir's feedback
* removed failed login eval
* updated docs
2024-09-16 14:36:44 -04:00
574064272d
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4082 )
2024-09-16 21:43:16 +05:30
814130bf34
min_stack New Rules that use the S1 Integration ( #4081 )
2024-09-16 20:12:09 +05:30
7c78e4081f
[Rule Tuning] min_stack New Rules that use the S1 Integration ( #4079 )
...
* [Rule Tuning] min_stack New Rules that use the S1 Integration
* Update execution_windows_powershell_susp_args.toml
* Update execution_initial_access_foxmail_exploit.toml
2024-09-16 11:02:46 -03:00
31ca246ea7
[New] Potential Foxmail Exploitation ( #4044 )
...
* Create execution_initial_access_foxmail_exploit.toml
* Update execution_initial_access_foxmail_exploit.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-16 12:29:40 +01:00
41a7a5f049
[New] Execution via Windows Command Debugging Utility ( #3918 )
...
* [New] Execution via Windows Command Debugging Utility
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/
* Update defense_evasion_lolbas_win_cdb_utility.toml
* ++
* Update defense_evasion_lolbas_win_cdb_utility.toml
2024-09-16 09:14:39 +01:00
f26d7fc81b
[New] Persistence via a Windows Installer ( #4055 )
...
* Create persistence_msi_installer_task_startup.toml
* Update persistence_msi_installer_task_startup.toml
* Update persistence_msi_installer_task_startup.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-16 07:50:57 +01:00
b60b6e2af3
[New] Attempt to establish VScode Remote Tunnel ( #4061 )
...
* [New] Attempt to establish VScode Remote Tunnel
* Update command_and_control_tunnel_vscode.toml
* Update command_and_control_tunnel_vscode.toml
* Update command_and_control_tunnel_vscode.toml
* Update rules/windows/command_and_control_tunnel_vscode.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-09-16 07:39:39 +01:00
3a3400c8e5
[New] MsiExec Service Child Process With Network Connection ( #4062 )
...
* [New] MsiExec Service Child Process With Network Connection
converted an ER diag rule to SIEM rule as it matches on a good number of MSI related FNs.
* Update defense_evasion_msiexec_child_proc_netcon.toml
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-09-15 20:22:44 +01:00
56fc2beb46
[New] Suspicious PowerShell Execution via Windows Scripts ( #4060 )
...
* [New] Suspicious PowerShell Execution via Windows Scripts
this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.
* Update execution_powershell_susp_args_via_winscript.toml
* Create defense_evasion_script_via_html_app.toml
* ++
* Update defense_evasion_script_via_html_app.toml
* Update execution_powershell_susp_args_via_winscript.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-15 19:51:21 +01:00
b6162abefa
[New] WPS Office Exploitation via DLL Hijack ( #4043 )
...
* Create execution_initial_access_wps_dll_exploit.toml
* Update execution_initial_access_wps_dll_exploit.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-15 11:23:35 +01:00
9255dafe53
[New] Detonate LNK TOP Rules ( #4058 )
...
* [New] Detonate LNK TOP Rules
the following two rules are the top ones matching on TPs from detonate for LNK files, converting them to SIEM rules compatible with Sysmon/Winlogbeat, SentinelOne and M365 Defender :
https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution.toml#L8
https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml#L8
* Update execution_windows_cmd_shell_susp_args.toml
* Update execution_windows_powershell_susp_args.toml
* Update execution_windows_cmd_shell_susp_args.toml
* Update execution_windows_powershell_susp_args.toml
* Update execution_windows_powershell_susp_args.toml
* Update execution_windows_cmd_shell_susp_args.toml
* Update execution_windows_powershell_susp_args.toml
* Update rules/windows/execution_windows_cmd_shell_susp_args.toml
* Update rules/windows/execution_windows_powershell_susp_args.toml
* Update execution_windows_cmd_shell_susp_args.toml
* Update execution_windows_cmd_shell_susp_args.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-09-15 10:49:17 +01:00
bb9a772870
[New Rule] Okta Public Client App OAuth Token Request with Client Credentials ( #4074 )
...
* adding new rule for Okta public client app OAuth token request with client credentials
* Update detection_rules/etc/non-ecs-schema.json
* changing new terms to okta.actor.display_name
* linted; added references
2024-09-13 14:57:49 -04:00
cad3865fcf
[New] Potential Escalation via Vulnerable MSI Repair - CVE-2024-38014 ( #4076 )
...
* [New] Potential Escalation via Vulnerable MSI Repair
https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/
* Update privilege_escalation_msi_repair_via_mshelp_link.toml
* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-09-13 17:57:44 +01:00
c3160b9279
[New Rule] PowerShell Script with Windows Defender Tampering Capabilities ( #4075 )
...
* [New Rule] PowerShell Script with Windows Defender Tampering Capabilities
* .
2024-09-13 11:51:19 -03:00
eda179bbe1
Skip Development Rules from Security Docs ( #4073 )
2024-09-13 19:57:00 +05:30
3e25ea8c2b
[New Rule] AWS Bedrock Detections ( #4072 )
2024-09-13 19:46:47 +05:30
df1f0bc98e
[New Rule] Add Jamf Protect detection rules ( #4047 )
...
* Create privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Adding pbpaste detection rule and minor adjustments to user added to group
* Update credential_access_high_volume_of_pbpaste.toml
* Update credential_access_high_volume_of_pbpaste.toml
* Adding two rules to validate our approach.
* Updated index to "logs-jamf_protect*"
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Moved to rules/macos folder
* Removed rules from integration/jamf folder
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* minstack rules and support jamf_protect non-dataset
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-09-12 15:03:56 -05:00
29051c2e33
[New Rule] Cross Platform: AWS SendCommand API Call with Run Shell Command Parameters ( #4052 )
...
* add new rule 'AWS SSM with Run Shell Command Parameters'
* linting
* Update rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* reverting suggestion; causes KQL parser errors for optimization
* fixing query command filter
* added linux event type filter
* fixing array
* fixed description
* Update rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-11 13:40:25 -04:00
8618b1ad73
Support toml lint for investigate transforms ( #4066 )
2024-09-11 20:45:36 +05:30
127a56aede
[Rule Tuning] Remote Execution via File Shares ( #4067 )
...
* [Rule Tuning] Remote Execution via File Shares
* Update lateral_movement_execution_via_file_shares_sequence.toml
2024-09-11 10:49:41 -03:00
a8dd78d834
Sync RTA Hidden Executable Initiated Egress Network Connection ( #4070 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-09-11 18:27:18 +05:30
4cab0e7d04
Sync RTA Socat Reverse Shell or Listener Activity ( #4071 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-09-11 18:14:29 +05:30
6a76bbb8d2
Sync RTA Potential Persistence via Direct Crontab Modification ( #4069 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-09-11 17:44:37 +05:30
09a6803804
Sync RTA Kill Command Executed from Binary in Unusual Location ( #4068 )
2024-09-11 17:30:07 +05:30
dc9c58527f
[Tuning] Unusual Network Activity from a Windows System Binary ( #4065 )
...
* Update defense_evasion_network_connection_from_windows_binary.toml
* Update defense_evasion_network_connection_from_windows_binary.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-09-10 13:30:56 -03:00
Eric Forte