608e02e27e
[New Rule] Linux Telegram API Request ( #4677 )
2025-05-06 21:53:19 +05:30
d3aa4b2f38
[Rule Tuning] Reduce Severity from Critical to High ( #4637 )
2025-05-06 21:37:47 +05:30
944428d81e
[New Rule] Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments ( #4685 )
2025-05-06 21:21:58 +05:30
e028bf7954
[New Rule] Potential Dynamic IEX Reconstruction via Environment Variables ( #4633 )
2025-05-06 21:06:06 +05:30
a34a26ddec
[Rule Tuning] Excluding Microsoft Entra ID Service Principal Addition Invoked by MSFT Identity ( #4700 )
...
* tuning rule to exclude service principals added by MSFT
* added additional exclusions
* updated rule name and file name
* updated investigation guide and mitre
2025-05-06 11:19:50 -04:00
0cd7de6862
[New Rule] Potential PowerShell Obfuscation via Special Character Overuse ( #4632 )
2025-05-06 20:29:19 +05:30
b7016253ae
[New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion ( #4631 )
2025-05-06 20:13:34 +05:30
5d8f0c2ffe
[New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion ( #4630 )
2025-05-06 19:58:01 +05:30
b6a755c84f
[New Rule][BBR] Potential PowerShell Obfuscation via High Special Character Proportion ( #4629 )
2025-05-06 19:41:33 +05:30
dc6cb3e811
[New Rule] Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation ( #4615 )
2025-05-06 19:26:15 +05:30
5ab73943a1
[New Rule] Potential PowerShell Obfuscation via Invalid Escape Sequences ( #4614 )
2025-05-06 19:10:10 +05:30
b5ac9707ba
[New Rule] PowerShell Obfuscation via Negative Index String Reversal ( #4610 )
2025-05-06 18:54:22 +05:30
c291638521
[New Rule] Potential PowerShell Obfuscation via Reverse Keywords ( #4609 )
2025-05-06 18:36:13 +05:30
7b9cd77bc2
[New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction ( #4608 )
2025-05-06 18:18:29 +05:30
ebe77f2d86
[New Rule] Potential PowerShell Obfuscation via String Concatenation ( #4607 )
2025-05-06 18:02:35 +05:30
fdc6b09d54
[New Rule] System Binary Symlink to Suspicious Location ( #4682 )
2025-05-06 17:46:47 +05:30
25dc8498ae
[New Rule] Suspicious Named Pipe Creation ( #4681 )
2025-05-06 17:30:38 +05:30
8b08795e00
[New Rule] Suspicious Kernel Feature Activity ( #4676 )
2025-05-06 17:13:24 +05:30
0193af2842
[New Rule] Potential Data Exfiltration Through Curl ( #4678 )
2025-05-06 16:57:59 +05:30
4030de9295
[New/Tuning] Potential Hex Payload Execution via Command-Line ( #4675 )
2025-05-06 16:29:03 +05:30
eb3520a63b
[New Rule] Potential Backdoor Execution Through PAM_EXEC ( #4674 )
2025-05-06 16:13:23 +05:30
91acb4e9ce
[New] Windows Sandbox with Sensitive Configuration ( #4606 )
...
https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
2025-05-06 15:58:39 +05:30
04f15aa08c
[New] Rare Connection to WebDAV Target ( #4667 )
2025-05-06 15:41:30 +05:30
70f758d9ad
[New] Microsoft Azure or Mail Sign-in from a Suspicious Source ( #4673 )
2025-05-06 15:21:11 +05:30
403e20c2c6
[New Rule] Git Repository or File Download to Suspicious Directory ( #4663 )
2025-05-06 15:05:27 +05:30
3f9e2edcb5
[New Rule] Manual Mount Discovery via /etc/exports ( #4662 )
2025-05-06 14:48:55 +05:30
a9e8a78c09
[New Rule] Docker Release File Creation ( #4661 )
2025-05-06 14:31:52 +05:30
13cf424ef5
[New Rule] Manual Memory Dumping via Proc Filesystem ( #4660 )
2025-05-06 14:16:15 +05:30
c9c41747fc
[FN Tuning] Suspicious /proc/maps Discovery ( #4659 )
2025-05-06 13:59:44 +05:30
1150271372
[New Rule] Suspicious Path Mounted ( #4664 )
2025-05-06 13:43:00 +05:30
bcff3f95d5
Update command_and_control_common_webservices.toml ( #4686 )
2025-05-06 13:27:21 +05:30
f480e98f16
[New] Concurrent Azure SignIns with Suspicious Properties ( #4670 )
2025-05-06 13:09:54 +05:30
6e3b38c645
[New] Suspicious Microsoft 365 UserLoggedIn via OAuth Code ( #4691 )
2025-05-06 12:53:33 +05:30
57be590d73
[New Rule] Adding Coverage for Suspicious Activity via Auth Broker On-Behalf-of Principal User ( #4687 )
2025-05-06 12:41:57 +05:30
58d03d4043
[New Rule] Adding Coverage for Microsoft Entra ID SharePoint Access for User Principal via Auth Broker ( #4695 )
...
* new rule 'Microsoft Entra ID SharePoint Access for User Principal via Auth Broker'
* updated severity
* added new terms note
2025-05-05 16:45:47 -04:00
e4856d3c2c
Refresh ecs, beats, integration manifests & schemas ( #4699 )
2025-05-05 23:06:40 +05:30
18e1103c51
[New Rule] Potential Linux Tunneling and/or Port Forwarding via SSH Option ( #4658 )
2025-05-05 09:59:08 +02:00
b3adc6d3ea
Deprecate Experimental ML command ( #4669 )
2025-05-02 21:01:46 +05:30
dddc2a7bb9
[New] Microsoft 365 OAuth Redirect to Device Registration for User ( #4694 )
...
* [New] Microsoft 365 OAuth Redirect to Device Registration for User Principal
https://github.com/elastic/ia-trade-team/issues/590
* Update non-ecs-schema.json
* Update pyproject.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* Update credential_access_antra_id_device_reg_via_oauth_redirection.toml
* fixed investigation guide formatting; fixed unit test failure
* updated patch version
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-05-02 08:36:10 +01:00
ce66f52aad
[New Rule] Adding Coverage for Microsoft Entra ID Protection Anonymized IP Risk Detection ( #4689 )
...
* Adding new rule 'Microsoft Entra ID Protection Anonymized IP Risk Detection'
* updating description
* adding index
* updating mitre tactic mapping
* updating file name
2025-05-01 23:03:50 -04:00
bae7835f6a
[New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client ( #4642 )
...
* new rules for MSFT Oauth phishing in Azure, Entra and Microsoft 365
* changed m365 file name
* fixed duplicate tactics
* updaing non-ecs for graph activity logs
* updating rules; investigation guides; formatting, linting errors
2025-05-01 22:38:41 -04:00
ff2ecad573
[New Rule] Adding Coverage for AWS S3 Static Site JavaScript File Uploaded ( #4617 )
...
* new rule 'AWS S3 Static Site JavaScript File Uploaded'
* adjusting name
* updated keep command
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-04-30 16:25:03 -04:00
ba959f2ceb
fix: Fixing leftover references to sha256 method ( #4690 )
...
* Fixing missed old method name usage
* Patch version bump
2025-04-30 20:34:15 +02:00
fc1e6145cc
Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 ( #4679 )
2025-04-30 18:11:35 +05:30
d72cb92d59
Bringing back "fix: Cleaning up the hashable content for the rule" ( #4621 ) ( #4668 )
2025-04-28 21:59:55 +05:30
97e6d8b706
Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 ( #4665 )
2025-04-25 20:35:09 +05:30
f02ccfef64
[New Rule] Adding Coverage for AWS IAM or STS API Calls via Temporary Session Tokens ( #4628 )
...
* adding new rule 'AWS IAM or STS API Calls via Temporary Session Tokens'
* updated name and query logic
* updated query logic
* changed rule to new terms
* fixed logic
* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml
* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml
* updated investigation guide; scoped to IAM only; updated naming
* updating file name
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-04-24 15:39:51 -04:00
191396e5e8
Version bump ( #4655 )
2025-04-24 13:19:36 -04:00
b7a324b2e8
Revert "fix: Cleaning up the hashable content for the rule ( #4621 )" ( #4654 )
...
This reverts commit 80c4f7eacc
2025-04-24 19:05:17 +02:00
84966f02a1
[Tuning] Update DPRK ByBit Hunting Queries ( #4645 )
...
* fix
* markdown generate
* adding missing streamlit hunting query
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2025-04-24 07:58:06 -05:00
Ruben Groenewoud