5bc3d1e2d5
[New Rule] Okta User Session Impersonation ( #1867 )
...
* [New Rule] Okta User Session Impersonation
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 46c2383e5b
2022-03-23 00:13:53 +00:00
99597a2ed2
[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion ( #1833 )
...
* Adding event.provider
* Removing new line
* Updating updated_date field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 2ed97d2e8c
2022-03-22 23:40:22 +00:00
bbf92cec94
crash shell evasion threat ( #1861 )
...
(cherry picked from commit 22367d3702
2022-03-22 13:20:12 +00:00
d4c426a022
[New Rule] cpulimit shell evasion threat ( #1851 )
...
* cpulimit shell evasion threat
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 2ab5a1f44a
2022-03-21 17:20:00 +00:00
d26759d5a8
[Rule Tuning] Symbolic Link to Shadow Copy Created ( #1830 )
...
* fixed duplicated file name
* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied
* moved rule back to production, added investigation notes and sequencing to EQL query
* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes
* updating with minor changes
* adjusted related rules
* adjusted investigation notes
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* TOML linted and adjusted updated date
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 096723b2a1
2022-03-18 15:11:05 +00:00
a951b99c13
update beats master branch ref to main ( #1853 )
...
* update beats master branch ref to main
* update filename of master beat schema to main
* delete old main beats schema
* rebuilt main beats archive
(cherry picked from commit 84b7ce6582
2022-03-18 14:09:10 +00:00
b7d064d210
Updation of Mitre Tactic and Threats ( #1850 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 7feebc2c10
2022-03-18 09:38:46 +00:00
18532b8468
Deprecate PrintNightmare Rules ( #1852 )
...
(cherry picked from commit 22dd7f0ada
2022-03-17 22:41:59 +00:00
185b23e169
Update defense_evasion_posh_process_injection.toml ( #1838 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a6edb7cfcf
2022-03-17 22:39:54 +00:00
174add51cc
[New Rule] busybox shell evasion threat ( #1842 )
...
* busybox shell evasion threat
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit b492258fb0
2022-03-17 04:26:58 +00:00
9bc0ecbe55
Bump EQL to 0.9.12 ( #1849 )
...
* Bump EQL to 0.9.12
* remove duplicate jsonschema
(cherry picked from commit eb2f62940d
2022-03-17 00:31:45 +00:00
8183b33240
Update persistence_user_account_added_to_privileged_group_ad.toml ( #1845 )
...
(cherry picked from commit e0f8f61ca0
2022-03-16 16:32:22 +00:00
1b5720caa5
Update defense_evasion_microsoft_defender_tampering.toml ( #1837 )
...
(cherry picked from commit b5f06f455c
2022-03-14 23:10:00 +00:00
944357ffd6
[New Rule] AdminSDHolder SDProp Exclusion Added ( #1795 )
...
* AdminSDHolder SDProp Exclusion Added Initial Rule
* Update persistence_sdprop_exclusion_dsheuristics.toml
* Update rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 53fbc50ea1
2022-03-10 17:19:47 +00:00
b2a6abf831
gcc shell evasion threat ( #1824 )
...
(cherry picked from commit c05f3c8aa3
2022-03-10 17:14:14 +00:00
632d7015b6
ssh shell evasion threat ( #1827 )
...
(cherry picked from commit b49cce9fcb
2022-03-10 17:11:52 +00:00
9e91249421
mysql shell evasion threat ( #1823 )
...
(cherry picked from commit ddbc1de45c
2022-03-10 17:09:25 +00:00
41c915c42e
expect shell evasion threat ( #1817 )
...
* expect shell evasion threat
* expect shell evasion threat
* Update rules/linux/defense_evasion_expect_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 334aa12aaf
2022-03-07 20:26:43 +00:00
4cf4a66a4b
nice shell evasion threat ( #1820 )
...
* nice shell evasion threat
* Update rules/linux/defense_evasion_nice_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 2b6a357a4b
2022-03-07 20:02:05 +00:00
aaf1ab6bb2
[Rule Tuning] Rule description updates ( #1811 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit f9503f2096
2022-03-07 14:06:37 +00:00
c4fea2fc00
[New Rule] Linux Restricted Shell Breakout via the Vi command ( #1809 )
...
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* new:rule:issue-1808 vi shell evasion threat
* Update rules/linux/defense_evasion_vi_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 2a82f18e43
2022-03-04 19:48:40 +00:00
029495c16e
Updating beaconing docs ( #1815 )
...
* Updating beaconind docs
* Update beaconing.md
* Update beaconing.md
(cherry picked from commit b6737aa2c3
2022-03-04 19:36:59 +00:00
6120265ba4
[Github Workflows] Only generate navigator files on push to main ( #1814 )
...
* [Github Workflows] Only generate navigator files on push to main
* fix workflow logic syntax
(cherry picked from commit 6653acb21c
2022-03-04 18:57:38 +00:00
2faed44215
Replace * in navigator filenames ( #1813 )
...
(cherry picked from commit bb105a3c43
2022-03-04 17:48:46 +00:00
5a630dd61d
Generate ATT&CK navigator layer files and links ( #1787 )
...
* Generate attack layer files and build with package
* add update-navigator-gists command
* add workflow to update navigator gists on pushes to main
* Add coverage readme
* fix keys for links
* update navigator layer names
* purge gist files prior to update; add badge
* Update how the navigator links are displayed
* moved navigator code to dedicated and refactored to dataclasses
* convert gist links to permalink versions
* alphabetize; catch 404 for gist update
(cherry picked from commit 254b4eb23f
2022-03-04 17:23:14 +00:00
ad2c069baa
[New Rule] Potential Remote Credential Access via Registry ( #1804 )
...
* [New Rule] Potential Remote Credential Access via Registry
4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624).
Example of data :
* Delete workspace.xml
* Update credential_access_remote_sam_secretsdump.toml
* Update credential_access_remote_sam_secretsdump.toml
* add non ecs field
* Update non-ecs-schema.json
* Update credential_access_remote_sam_secretsdump.toml
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_remote_sam_secretsdump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit a6582351b5
2022-03-03 15:31:20 +00:00
a1e28ef4ff
[New Rule] Execution control.exe via WorkFolders.exe ( #1806 )
...
* added detection rule defense_evasion_workfolders_control_execution.toml related to issue #1586
* updated rule authors
* added references to the rule
* added timestamp override variable to the rule
* adjusted value of timestamp override from event_ingested to event.ingested
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_workfolders_control_execution.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* linted toml file as suggested
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 202b9c7479
2022-03-03 14:24:27 +00:00
82331f05d1
[Rule Tuning] Update PowerShell script_block queries to avoid partial matches ( #1807 )
...
* Update script_block queries
* Update execution_posh_psreflect.toml
(cherry picked from commit 5c477849fe
2022-03-03 10:39:59 +00:00
7bfd5622f3
find shell evasion threat( #1801 )
...
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* new:rule:issue-1800 Adding new rule for find shell evasion
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* Update rules/linux/privilege_escalation_find_binary.toml
* new:rule:issue-1800 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 283cbca702
2022-03-02 16:32:49 +00:00
139d56ee86
apt binary shell evasion threat ( #1792 )
...
* new:rule:issue-1782 Adding a new Rule for apt binary shell evasion threat
* new:rule:issue-1782 Review Comments
* Update rules/linux/apt_binary_shell_evasion.toml
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* new:rule:issue-1782 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* Update rules/linux/privilege_escalation_apt_binary.toml
* new:rule:issue-1782 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c9dd047966
2022-03-02 16:30:22 +00:00
a645bc7bbb
awk binary shell evasion threat ( #1794 )
...
* new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat
* Update rules/linux/awk_binary_shell_evasion.toml
* Update rules/linux/awk_binary_shell_evasion.toml
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* new:rule:issue-1785 Review Comments
* new:rule:issue-1785 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit e004a2f4a5
2022-03-02 16:26:37 +00:00
56997556f5
env binary shell evasion threat ( #1793 )
...
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* Update rules/linux/env_binary_shell_evasion.toml
* Update rules/linux/env_binary_shell_evasion.toml
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
* Update rules/linux/privilege_escalation_env_binary.toml
* new:rule:issue-1786 Review Comments
* Update rules/linux/defense_evasion_env_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 758784d4d5
2022-03-02 16:19:45 +00:00
36369ebf96
[New Rule] Registry Hive File Creation via SMB ( #1779 )
...
* [New Rule] Registry Hive File Creation via SMB
Identifies the creation or modification of a medium size registry hive file via the SMB protocol :
* Update credential_access_moving_registry_hive_via_smb.toml
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f48144c6b3
2022-03-02 09:14:52 +00:00
31f75bd7e6
Update impact_azure_service_principal_credentials_added.toml ( #1802 )
...
(cherry picked from commit 8a9b52f7e1
2022-03-02 08:38:49 +00:00
73b3bec457
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1c50f35aed
2022-03-02 00:41:56 +00:00
fe36cc331c
Updating Host Risk Score docs ( #1716 )
...
* Updating host risk score docs
* Small update
* Add host risk documentation for Kibana 8.1 features
* Update host-risk-score.md
* Rearranging some stuff
* Improve host risk SS
* Adding stack version info where applicable
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
Add host by risk table note
* Update host-risk-score.md
Co-authored-by: Pablo Neves Machado <pablo.nevesmachado@elastic.co >
(cherry picked from commit 0122e1e65f
2022-02-28 23:21:50 +00:00
4397244f73
Refresh ATT&CK to v10.1 ( #1791 )
...
(cherry picked from commit a5eb02ac28
2022-02-25 01:40:49 +00:00
ca5f2d4018
Ensure github module is installed before running PR commands ( #1777 )
...
* Ensure github module is installed before running PR commands
* move go and elastic-package assertions to top of command
* update error msg for missing pkg
* remove redundant github assertion
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit d373db7659
2022-02-24 23:51:24 +00:00
aab23636e8
[New Rule] LSASS Memory Dump ( #1784 )
...
* Add new event_data fields (ObjectName, ProcessName)
* Add detection for LSASS Memory Dump Handle Access
* Reference an example of 120089 AccessMask presence
* modify query to increase performance and update the description to remove ("This rule").
* expand path to Elastic Agent ensure syntax consistency
* Optimize rule based on AccessMaskDescription and additional False Positives.
* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used
* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription
* cleanup
(cherry picked from commit aa7d79cc53
2022-02-24 13:16:42 +00:00
775779c756
[Bug] Fix toml-lint ordering of Mitre metadata #1249 ( #1774 )
...
* Order the MITRE metadata by recursively sorting the rule object before writing.
* Refactor order_rule into the rule_formatter module.
* sort test_toml.json according to rule_formatter spec
* rename var to obj since this will traverse all data in the rule
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 0aeb7399d4
2022-02-22 19:00:16 +00:00
99c559f870
Update persistence_azure_conditional_access_policy_modified.toml ( #1788 )
...
(cherry picked from commit 8664ef59f4
2022-02-22 18:29:00 +00:00
76f3ff1074
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 ( #1781 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1
(cherry picked from commit 5e073af69d
2022-02-16 17:27:58 +00:00
678f7cb93c
[Rule Tuning] Update rules based on docs review ( #1778 )
...
* Update rules based on docs review
* trivial change to trigger CLA
* undo changes from triggering build
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit dec4243db0
2022-02-16 16:44:51 +00:00
f571eb970d
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id ( #1773 )
...
* Remove Windows Integration & Winlogbeat Support
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3227d65cd8
2022-02-16 02:07:27 +00:00
cd59ed785a
[Rule Tuning] Potential Command and Control via Internet Explorer ( #1771 )
...
* Use user.name on the sequence instead of user.id
* Update command_and_control_iexplore_via_com.toml
* Remove min_stack and comment "with runs"
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 03f60cc11c
2022-02-16 02:00:28 +00:00
ef78093d88
[New Rule] Potential Credential Access via DCSync ( #1763 )
...
* "Potential Credential Access via DCSync" Initial Rule
* replace unintentional bracket removal
* json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 42436d3364
2022-02-16 00:42:49 +00:00
9885be0f59
Modified to use Integrity fields instead of user.id ( #1772 )
...
(cherry picked from commit fd678dc5cb
2022-02-16 00:25:10 +00:00
fd3d2708a1
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes ( #1775 )
...
* Initial Review of Sysmon Registry Rules
* Update defense_evasion_sip_provider_mod.toml
(cherry picked from commit 9bbe26fec0
2022-02-15 12:59:15 +00:00
3b97ee423b
Update discovery_net_command_system_account.toml ( #1769 )
...
(cherry picked from commit c646a18efb
2022-02-14 15:13:55 +00:00
fbcc7433ad
[New Rule] Windows Service Installed via an Unusual Client ( #1759 )
...
* [New Rule] Windows Service Installed via an Unusual Client
https://www.x86matthew.com/view_post?id=create_svc_rpc
* Update non-ecs-schema.json
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add ```s
* Update privilege_escalation_windows_service_via_unusual_client.toml
* add missing comma to schema
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 326aa64ff6
2022-02-11 20:59:20 +00:00
Justin Ibarra