a76c51ae17
[Deprecation rule] DNS Activity to the Internet ( #2221 )
2022-08-02 20:59:35 -05:00
a52751494e
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 15:41:32 -04:00
93edc44284
[Rule Tuning] Timeline Templates For Windows and Linux ( #1892 )
...
* added comprehensive file timeline to Hosts File Modified rule
* added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule
* updated rules to have generic instead of comprehensive
* updated several rules with timeline ID and timeline title values
* changed updated_date for threat intel fleet integrations
* added missing templates to timeline_templates dict in definitions.py
* added comprehensive timeline templates to alerts after definitions.py was updated
* updated rules with comprehensive timeline templates and added min stack comments and versions
* removing timeline template changes which is tracked in #1904
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Delete Pipfile
Removing pipfile
* Delete Pipfile.lock
deleting pipfile.lock
* Update rules/windows/execution_command_shell_started_by_svchost.toml
updating title
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-01 13:44:35 -04:00
7b0383ffe2
[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL ( #1651 )
...
* Update command_and_control_download_rar_powershell_from_internet.toml
* bump updated_date
2021-12-07 09:09:03 -03:00
5e4a7e67df
[Rule Tuning] Small update on rule descriptions ( #1508 )
2021-09-30 12:54:15 -08:00
f8f643041a
[Rule tuning] Revise rule description and other text ( #1398 )
2021-08-03 13:07:47 -08:00
b736d6e748
[Rule Tuning] Rule description tweaks ( #1388 )
2021-07-29 10:56:13 -08:00
34df7c6b89
[Rule Tuning] Add Filebeat and Auditbeat to Network Rules ( #1282 )
...
* standardized indices and added the from field
2021-07-20 22:59:22 -08:00
a8c9d7174f
Update initial_access_smb_windows_file_sharing_activity_to_the_internet.toml ( #1225 )
2021-06-22 10:22:01 -04:00
12577f7380
[Rule Tuning] Update network rule address blocks ( #1227 )
...
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-15 09:22:59 -04:00
6ef5c53b0c
Cleanup note field in rules ( #1194 )
...
* standardize usage of note field
2021-05-10 13:40:56 -08:00
ff45539369
[Deprecation] Deprecate inherently noisy rules based on testing ( #1122 )
...
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-04-21 15:10:06 -04:00
66dff28498
[Rule Tuning] Public IP Reconnaissance Activity ( #1091 )
...
* Delete discovery_post_exploitation_public_ip_reconnaissance.toml
* Updated ip lookup rule
* Modified index field
* Update discovery_post_exploitation_external_ip_lookup.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
* Update rules/windows/discovery_post_exploitation_external_ip_lookup.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 09:58:00 -05:00
0b65678d8c
[Rule tuning] Correct tags with associated threat mappings ( #1003 )
2021-03-08 14:12:29 -09:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
645a0cd67b
[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules ( #945 )
...
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
2021-02-17 19:49:58 -09:00
a77bd6178f
Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12
...
# Conflicts:
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
2021-02-17 14:11:50 -09:00
90a9320f93
[Rule Tuning] Remove timestamp_override for endgame-* promotion rules ( #951 )
...
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
2021-02-17 13:48:57 -09:00
6ce418877f
Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12
...
# Conflicts:
# etc/version.lock.json
# rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
# rules/cross-platform/impact_hosts_file_modified.toml
# rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
# rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
# rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
# rules/linux/defense_evasion_timestomp_touch.toml
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
# rules/macos/credential_access_credentials_keychains.toml
# rules/macos/credential_access_promt_for_pwd_via_osascript.toml
# rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
# rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
# rules/promotions/external_alerts.toml
# rules/windows/collection_email_powershell_exchange_mailbox.toml
# rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
# rules/windows/collection_winrar_encryption.toml
# rules/windows/command_and_control_common_webservices.toml
# rules/windows/command_and_control_encrypted_channel_freesslcert.toml
# rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
# rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
# rules/windows/command_and_control_teamviewer_remote_file_copy.toml
# rules/windows/credential_access_cmdline_dump_tool.toml
# rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
# rules/windows/credential_access_credential_dumping_msbuild.toml
# rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
# rules/windows/credential_access_dump_registry_hives.toml
# rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
# rules/windows/credential_access_iis_connectionstrings_dumping.toml
# rules/windows/credential_access_kerberoasting_unusual_process.toml
# rules/windows/credential_access_lsass_memdump_file_created.toml
# rules/windows/credential_access_mimikatz_memssp_default_logs.toml
# rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
# rules/windows/defense_evasion_clearing_windows_event_logs.toml
# rules/windows/defense_evasion_code_injection_conhost.toml
# rules/windows/defense_evasion_cve_2020_0601.toml
# rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
# rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
# rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
# rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
# rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
# rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
# rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
# rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
# rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
# rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
# rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
# rules/windows/defense_evasion_hide_encoded_executable_registry.toml
# rules/windows/defense_evasion_iis_httplogging_disabled.toml
# rules/windows/defense_evasion_injection_msbuild.toml
# rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
# rules/windows/defense_evasion_masquerading_renamed_autoit.toml
# rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
# rules/windows/defense_evasion_masquerading_trusted_directory.toml
# rules/windows/defense_evasion_modification_of_boot_config.toml
# rules/windows/defense_evasion_port_forwarding_added_registry.toml
# rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
# rules/windows/defense_evasion_sdelete_like_filename_rename.toml
# rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
# rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
# rules/windows/defense_evasion_suspicious_zoom_child_process.toml
# rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
# rules/windows/defense_evasion_unusual_dir_ads.toml
# rules/windows/defense_evasion_unusual_system_vp_child_program.toml
# rules/windows/defense_evasion_via_filter_manager.toml
# rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
# rules/windows/discovery_adfind_command_activity.toml
# rules/windows/discovery_admin_recon.toml
# rules/windows/discovery_file_dir_discovery.toml
# rules/windows/discovery_net_command_system_account.toml
# rules/windows/discovery_net_view.toml
# rules/windows/discovery_peripheral_device.toml
# rules/windows/discovery_process_discovery_via_tasklist_command.toml
# rules/windows/discovery_query_registry_via_reg.toml
# rules/windows/discovery_remote_system_discovery_commands_windows.toml
# rules/windows/discovery_security_software_wmic.toml
# rules/windows/discovery_whoami_command_activity.toml
# rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
# rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
# rules/windows/execution_command_shell_started_by_powershell.toml
# rules/windows/execution_command_shell_started_by_svchost.toml
# rules/windows/execution_command_shell_started_by_unusual_process.toml
# rules/windows/execution_command_shell_via_rundll32.toml
# rules/windows/execution_from_unusual_directory.toml
# rules/windows/execution_from_unusual_path_cmdline.toml
# rules/windows/execution_shared_modules_local_sxs_dll.toml
# rules/windows/execution_suspicious_cmd_wmi.toml
# rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
# rules/windows/execution_suspicious_pdf_reader.toml
# rules/windows/execution_suspicious_powershell_imgload.toml
# rules/windows/execution_suspicious_psexesvc.toml
# rules/windows/execution_suspicious_short_program_name.toml
# rules/windows/execution_via_compiled_html_file.toml
# rules/windows/execution_via_hidden_shell_conhost.toml
# rules/windows/execution_via_net_com_assemblies.toml
# rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
# rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml
# rules/windows/initial_access_script_executing_powershell.toml
# rules/windows/initial_access_suspicious_ms_office_child_process.toml
# rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
# rules/windows/initial_access_unusual_dns_service_children.toml
# rules/windows/initial_access_unusual_dns_service_file_writes.toml
# rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
# rules/windows/lateral_movement_execution_from_tsclient_mup.toml
# rules/windows/lateral_movement_local_service_commands.toml
# rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
# rules/windows/lateral_movement_rdp_enabled_registry.toml
# rules/windows/lateral_movement_rdp_tunnel_plink.toml
# rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
# rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
# rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
# rules/windows/persistence_adobe_hijack_persistence.toml
# rules/windows/persistence_appcertdlls_registry.toml
# rules/windows/persistence_appinitdlls_registry.toml
# rules/windows/persistence_evasion_registry_ifeo_injection.toml
# rules/windows/persistence_gpo_schtask_service_creation.toml
# rules/windows/persistence_local_scheduled_task_commands.toml
# rules/windows/persistence_ms_office_addins_file.toml
# rules/windows/persistence_ms_outlook_vba_template.toml
# rules/windows/persistence_priv_escalation_via_accessibility_features.toml
# rules/windows/persistence_registry_uncommon.toml
# rules/windows/persistence_run_key_and_startup_broad.toml
# rules/windows/persistence_services_registry.toml
# rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
# rules/windows/persistence_startup_folder_scripts.toml
# rules/windows/persistence_suspicious_com_hijack_registry.toml
# rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
# rules/windows/persistence_suspicious_scheduled_task_runtime.toml
# rules/windows/persistence_suspicious_service_created_registry.toml
# rules/windows/persistence_system_shells_via_services.toml
# rules/windows/persistence_user_account_creation.toml
# rules/windows/persistence_via_application_shimming.toml
# rules/windows/persistence_via_hidden_run_key_valuename.toml
# rules/windows/persistence_via_lsa_security_support_provider_registry.toml
# rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
# rules/windows/persistence_via_update_orchestrator_service_hijack.toml
# rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
# rules/windows/privilege_escalation_named_pipe_impersonation.toml
# rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
# rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
# rules/windows/privilege_escalation_rogue_windir_environment_var.toml
# rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
# rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
# rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
# rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
# rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
# rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
# rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
# rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
# rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
# rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
2021-02-17 12:18:06 -09:00
61deed3fd2
[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules ( #948 )
...
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
2021-02-16 10:52:48 -09:00
64366218c7
adjust risk score ( #938 )
2021-02-08 13:15:42 -05:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
17cf79d076
[New Rule] Default Cobalt Strike Team Server Certificate ( #358 )
...
* initial commit
* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* updated to include sub-techniques
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-09 14:49:31 -06:00
e272800a5d
Add ATT&CK sub-technique support to CLI ( #614 )
...
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
2020-12-08 21:56:55 -09:00
97ee8cc9ac
Refresh beats and ecs schemas and default to use latest to validate ( #570 )
...
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
2020-12-01 13:24:20 -09:00
ee82ada716
[Rule Tuning] Update IP Address Ranges in Multiple Rules ( #576 )
...
* add additional IP ranges and format for readability
* remove superfluous "or" operators
2020-12-01 13:38:47 -07:00
f87f2a46f4
[Rule Tuning] Remove all rule timelines ( #466 )
2020-11-03 09:51:53 -09:00
da64bacac1
[Rule Tuning] Add timeline_title to rules with timeline IDs defined ( #452 )
2020-11-02 14:12:20 -09:00
580db2c13e
Add timeline_id to detection rules ( #95 )
...
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
2065af89b1
[Rule Tuning] Tag Categorization Updates ( #380 )
...
* Add new categorization tags
* Change updated_date to 2020/10/26
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >, @bm11100
2020-10-26 13:50:45 -05:00
2e422f7159
[Rule Tuning] Minor Rule Tweaks for 7.10 ( #400 )
...
* Tweak Rules for 7.10
* Add endpoint index for packetbeat rules
* update unit test to account for Network tag as well
* update modified date, add endpoint tag
* use Host instead of Endpoint
* Update packaging.py
* add v back to changelog url
* Add "tag" comment to get_markdown_rule_info
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-10-22 09:07:04 -04:00
758e4a2c5b
Add unit tests for rule tags ( #359 )
2020-10-07 19:29:19 -08:00
5ba848552a
[New Rule] Post Exploitation Public IP Reconnaissance ( #270 )
2020-09-30 15:36:22 -08:00
e753162fe2
[New Rule] Detecting Unsecure Elasticsearch Nodes ( #109 )
2020-09-30 15:34:38 -08:00
1a260536d4
[New Rule] RAR and PowerShell Downloaded from the Internet ( #30 )
2020-09-30 15:32:44 -08:00
faeac00465
[New Rule] Possible FIN7 Command and Control Behavior ( #28 )
2020-09-30 15:26:13 -08:00
1620559f1f
[New Rule] Halfbaked C2 Beacon ( #23 )
2020-09-30 15:21:33 -08:00
8caf897a73
[New Rule] Cobalt Strike Beacon ( #21 )
2020-09-30 14:58:24 -08:00
065bcd8018
Refresh ATT&CK data to v7.2 and expand threat validation ( #330 )
...
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
2020-09-23 22:03:29 -08:00
79a0dfefbe
Add ECS 1.6.0 schema for validation testing ( #220 )
...
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
2020-08-27 11:54:49 -05:00
680a04da8f
Fix terminology and doc links ( #54 )
2020-07-13 12:47:42 -06:00
e0f2e8b4a9
Add dataset and index to network rules ( #15 )
...
* Add dataset and index to network rules
* Restore iptables changes
* Fix beats parsing logic
* Updated date and ECS version
* Only update modules if empty
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-07-08 13:19:35 -06:00
1fac018f10
Update MySQL port to 3306 not 3336 ( #2 )
2020-07-01 09:52:04 -06:00
5fcece8416
Populate rules/ directory.
...
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com >
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com >
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-29 22:57:03 -06:00
Terrance DeJesus