be5dad8941
[New Rule] Linux Shadow File Modification ( #3737 )
...
* [New Rule] Linux User Account Password Change
* Update rules/linux/persistence_user_password_change.toml
* Update persistence_user_password_change.toml
* Update persistence_user_password_change.toml
* Update persistence_user_password_change.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 64f0e258cb
2024-07-05 08:06:25 +00:00
c46e92791f
[New Rules] Git Hook Execution/File Creation ( #3832 )
...
* [New Rules] Git Hook Execution/File Creation
* Update rules/linux/persistence_git_hook_file_creation.toml
* Update persistence_git_hook_process_execution.toml
(cherry picked from commit b311d49c2a
2024-06-28 09:37:47 +00:00
1c404b7861
[New Rule] DNF Package Manager Plugin File Creation ( #3822 )
...
* [New Rule] DNF Package Manager Plugin File Creation
* Update persistence_dnf_package_manager_plugin_file_creation.toml
(cherry picked from commit f33c25b118
2024-06-28 09:18:02 +00:00
1dad651fcc
[New Rules] rc.local Execution Rules ( #3813 )
...
* [New Rules] rc.local Execution Rules
* ++
* Update rules/linux/persistence_rc_local_error_via_syslog.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit edc501accf
2024-06-28 08:02:25 +00:00
733c138b18
[New Rule & Tuning] Systemd Generator Created ( #3801 )
...
(cherry picked from commit cd4fe07c2c
2024-06-27 20:03:51 +00:00
4b88408acf
[Rule Tuning] rc.local/rc.common File Creation ( #3805 )
...
(cherry picked from commit e941645b2f
2024-06-27 19:53:55 +00:00
2f292dacb4
[Rule Tuning] System V Init Script Created ( #3811 )
...
(cherry picked from commit 68bf4e453e
2024-06-27 19:41:41 +00:00
efd192d5f6
[Rule Tuning] Executable Bit Set for Potential Persistence Script ( #3812 )
...
* [Rule Tuning] Executable Bit Set for Potential Persistence Script
* Update rules/linux/persistence_potential_persistence_script_executable_bit_set.toml
* Update persistence_potential_persistence_script_executable_bit_set.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 460b314f49
2024-06-27 19:32:47 +00:00
2bf7df1890
[New Rule] Privilege Escalation via SUID/SGID ( #3793 )
...
* [New Rule] Privilege Escalation via SUID/SGID
* unit test error fix?
* Update rules/linux/privilege_escalation_potential_suid_sgid_exploitation.toml
(cherry picked from commit c3ba7b1262
2024-06-27 14:53:31 +00:00
de7e0c7e38
[New Rule] User or Group Creation/Modification ( #3804 )
...
(cherry picked from commit 0ca16a1516
2024-06-27 14:39:17 +00:00
a8a6562872
[New Rules] Yum Plugin Creation / Discovery ( #3820 )
...
* [New Rules] Yum Plugin Creation / Discovery
* Update discovery_yum_plugin_detection.toml
* Update and rename discovery_yum_plugin_detection.toml to discovery_yum_dnf_plugin_detection.toml
(cherry picked from commit 6746a421c4
2024-06-25 14:17:34 +00:00
14de5313e8
[New Rules] PAM Module Creation & Unusual PAM Grantor ( #3743 )
...
* [New Rules] PAM Module Creation & Unusual PAM Grantor
* Update persistence_unusual_pam_grantor.toml
* Update persistence_pluggable_authentication_module_creation.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
* Update persistence_pluggable_authentication_module_creation.toml
* Update persistence_unusual_pam_grantor.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
(cherry picked from commit c87c4c9f5d
2024-06-11 09:54:34 +00:00
b6d29a6775
[Rule Tuning] Systemd-udevd Rule File Creation ( #3738 )
...
* [Rule Tuning] Systemd-udevd Rule File Creation
* Incompatible endgame field
* Update rules/linux/persistence_udev_rule_creation.toml
* Update rules/linux/persistence_udev_rule_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_udev_rule_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_udev_rule_creation.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 4cf0c2b9af
2024-06-11 09:43:57 +00:00
1e16e806c7
[New Rule] APT Package Manager Configuration File Creation ( #3739 )
...
* [New Rule] APT Package Manager Configuration File Creation
* Update rules/linux/persistence_apt_package_manager_file_creation.toml
* Update persistence_apt_package_manager_file_creation.toml
(cherry picked from commit 4003219aa1
2024-06-11 07:46:33 +00:00
6fadd533fe
[New Rule] Network Connection Initiated by SSH Parent Process ( #3759 )
...
* [New Rule] Network Connection Initiated by SSH Parent Process
* Update persistence_ssh_netcon.toml
* Update rules/linux/persistence_ssh_netcon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_ssh_netcon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_ssh_netcon.toml
* Update persistence_ssh_netcon.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 74f049cc7c
2024-06-10 08:33:52 +00:00
9f5c795ea5
[New Rule] Netcon through XDG Autostart Entry ( #3741 )
...
* [New Rule] Netcon through XDG Autostart Entry
* Update rules/linux/persistence_xdg_autostart_netcon.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update persistence_xdg_autostart_netcon.toml
* Update persistence_xdg_autostart_netcon.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 29bb52d2fb
2024-06-10 08:20:29 +00:00
7ba1a863b5
[New Rule] Executable Bit Set for rc.local/rc.common ( #3736 )
...
* [New Rule] Executable Bit Set for rc.local/rc.common
* Endgame compatibility
* Update rules/linux/persistence_rc_local_common_executable_bit_set.toml
(cherry picked from commit 70496f813f
2024-06-10 08:00:14 +00:00
886ce70678
[New Rule] Process Capability Set via setcap Utility ( #3744 )
...
* [New Rule] Process Capability Set via setcap Utility
* ++
* Update rules/linux/persistence_process_capability_set_via_setcap.toml
(cherry picked from commit d3e2f70ce2
2024-06-06 10:47:40 +00:00
71394edb86
[Rule Tuning] System Binary Moved or Copied ( #3742 )
...
* [Rule Tuning] System Binary Moved or Copied
* Added reference
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
(cherry picked from commit 8e6114f76c
2024-06-06 10:27:50 +00:00
fb82c0fe1b
[Rule Tuning] Potential Sudo Hijacking ( #3745 )
...
* [Rule Tuning] Potential Sudo Hijacking
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
(cherry picked from commit 61ab035f41
2024-06-06 10:02:23 +00:00
1d6361dece
[New Rule] SSH Key Generated via ssh-keygen ( #3731 )
...
* [New Rule] SSH Key Generated via ssh-keygen
* ++
* Update rules/linux/persistence_ssh_key_generation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 342fde097f
2024-06-06 09:53:51 +00:00
6ff8f3a75f
[Rule Tuning] Shell Configuration Creation or Modification ( #3732 )
...
* [Rule Tuning] Shell Configuration Creation or Modification
* Incompatible endgame field
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 5f36f3a03e
2024-06-05 08:31:16 +00:00
1b3ccdd1d5
[Rule Tuning] Message-of-the-Day (MOTD) ( #3730 )
...
* [Rule Tuning] Message-of-the-Day (MOTD)
* Update persistence_message_of_the_day_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit e41a57f2ad
2024-06-05 08:21:58 +00:00
2d55e67da7
[Rule Tuning] Systemd Service & Timer ( #3728 )
...
* [Rule Tuning] Systemd Service & Timer
* Update
* Update persistence_systemd_scheduled_timer_created.toml
* Update persistence_systemd_service_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit bebf671881
2024-06-05 08:04:19 +00:00
8eea11e6ab
[New Rule & Tuning] (Ana)Cron & At Job Creation ( #3726 )
...
* [New Rule & Tuning] (Ana)Cron & At Job Creation
* Update persistence_at_job_creation.toml
* Update persistence_cron_job_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_at_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 81ee6380ec
2024-06-05 07:56:52 +00:00
06660cb2e1
Refresh MITRE Attack v15.1.0 ( #3725 )
...
(cherry picked from commit e357a2c050
2024-06-04 14:48:18 +00:00
0295db4b6b
[New Rule & Tunings] Linux Springtail Backdoor ( #3692 )
...
* [New Rules and Tuning] Springtail backdoor
* consistency formatting
* update
* unit testing formatting change
* Update persistence_systemd_service_started.toml
* Update persistence_systemd_service_started.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
(cherry picked from commit 390629da4e
2024-05-24 08:13:21 +00:00
18fcd83683
Back-porting Version Trimming ( #3704 )
...
(cherry picked from commit 63e91c2f12
2024-05-22 19:18:10 +00:00
e7959e88b9
[Bug] Fix test_os_and_platform_in_query test and rules ( #3695 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit ce21acef9c
2024-05-20 15:51:28 +00:00
d3faf0d0d6
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit e29994c338
2024-04-30 11:48:38 +00:00
f7215a7ced
[Rule Tuning] Linux DRs ( #3628 )
...
(cherry picked from commit 115c3a6dfd
2024-04-30 11:33:56 +00:00
a6ea41cae0
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 153657029b
2024-04-03 09:36:00 +00:00
de3db7007a
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f2490007e8
2024-04-02 04:22:46 +00:00
f0a06bc56b
[Rule Tuning] Potential Reverse Shell via UDP ( #3508 )
...
(cherry picked from commit a6028b43b3
2024-03-21 12:56:41 +00:00
4fec1a766e
[New Rules] mprotect() RWX Binary Execution ( #3507 )
...
* [New Rules] mprotect() RWX Binary Execution
* Added rule names
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
(cherry picked from commit 4179180fcb
2024-03-13 21:18:29 +00:00
11168606d5
[Tuning] event.action and event.type change ( #3495 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9f8638a004
2024-03-13 09:16:45 +00:00
9101dfc064
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
(cherry picked from commit 458e67918a
2024-03-11 12:15:22 +00:00
28220d0ccd
[Tuning] Linux DR Tuning - Part 12 ( #3464 )
...
* [Tuning] Linux DR Tuning - Part 12
* Update persistence_shared_object_creation.toml
* Update privilege_escalation_dac_permissions.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Min stack rule-bending test
* formatting fix
* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"
This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Revert "Min stack rule-bending test"
This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 9c4ba4559d
2024-03-07 17:15:18 +00:00
124e8c836c
[Tuning] Linux DR Tuning - Part 14 ( #3467 )
...
* [Tuning] Linux DR Tuning - Part 14
* Update privilege_escalation_sudo_cve_2019_14287.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ed4a7fc15b
2024-03-07 15:51:17 +00:00
dfaed78e75
[Tuning] Linux DR Tuning - Part 13 ( #3465 )
...
* [Tuning] Linux DR Tuning - Part 13
* updated date bump
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update privilege_escalation_netcon_via_sudo_binary.toml
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update rules/linux/privilege_escalation_shadow_file_read.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 60fda8d756
2024-03-07 15:33:51 +00:00
09fe63d18f
[Tuning] Linux DR Tuning - Part 11 ( #3463 )
...
* [Tuning] Linux DR Tuning - Part 11
* Update persistence_message_of_the_day_creation.toml
* Update persistence_message_of_the_day_execution.toml
* Update rules/linux/persistence_message_of_the_day_execution.toml
* Update persistence_linux_user_added_to_privileged_group.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ef66c57030
2024-03-07 11:26:39 +00:00
68cfb3dfde
[Tuning] Linux DR Tuning - Part 10 ( #3462 )
...
* [Tuning] Linux DR Tuning - Part 10
* updated_date bump
* Update persistence_kworker_file_creation.toml
* Update persistence_linux_backdoor_user_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a76a3755d9
2024-03-07 10:50:21 +00:00
6141bc3dd7
[Tuning] Linux DR Tuning - Part 9 ( #3461 )
...
* [Tuning] Linux DR Tuning - Part 9
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update lateral_movement_ssh_it_worm_download.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit fd84573212
2024-03-07 10:39:28 +00:00
f209923155
[Tuning] Linux DR Tuning - Part 8 ( #3460 )
...
* [Tuning] Linux DR Tuning - Part 8
* Update impact_esxi_process_kill.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 08f946b394
2024-03-07 10:06:27 +00:00
e44b8a7768
[Tuning] Linux DR Tuning - Part 7 ( #3458 )
...
* [Tuning] Linux DR Tuning - Part 7
* Update execution_potential_hack_tool_executed.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit c537fb9c22
2024-03-07 09:52:07 +00:00
472ca216d3
[Tuning] Linux DR Tuning - Part 6 ( #3457 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_ping_sweep_detected.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit f37a3bfd48
2024-03-07 09:14:25 +00:00
d28bd2abef
[Tuning] Linux DR Tuning - Part 5 ( #3456 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_dynamic_linker_via_od.toml
* Update discovery_esxi_software_via_find.toml
* Update discovery_esxi_software_via_grep.toml
* Update discovery_linux_hping_activity.toml
* Update discovery_linux_nping_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ae3f4737ab
2024-03-07 08:59:38 +00:00
2f18b54ac8
[Tuning] Auditbeat event.action Compatibility ( #3471 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 83abf8d42c
2024-03-06 14:34:12 +00:00
e6db511ac7
[BBR Promotion] Linux BBR --> DR Promotion ( #3472 )
...
* [BBR Promotion] Linux BBR --> DR Promotion
* [BBR Promotion] Linux BBR --> DR Promotion
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 5a80423003
2024-03-06 13:55:08 +00:00
7adff8ebd2
[Tuning] Linux DR Tuning - Part 4 ( #3455 )
...
* [Tuning] Linux DR Tuning - Part 4
* Update defense_evasion_file_mod_writable_dir.toml
* Update defense_evasion_hidden_file_dir_tmp.toml
(cherry picked from commit 089e6671aa
2024-02-20 14:44:07 +00:00
Ruben Groenewoud