6b03cbb54b
[New Rules] cap_setuid/cap_setgid privesc ( #3075 )
...
* [New Rules] cap_setuid/cap_setgid privesc
* Update persistence_setuid_setgid_capability_set.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 6ea11cd9ad
2023-10-18 14:29:35 +00:00
71f4ba024c
[New Rule] Potential SSH-IT SSH Worm Downloaded ( #3121 )
...
* [New Rule]
* Fixed grammar mistake
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
(cherry picked from commit 4190c3a6a7
2023-10-18 14:14:42 +00:00
28c04cbdcf
[New Rule] Pot. Network Scan Executed from Host ( #3070 )
...
(cherry picked from commit 7d674db11e
2023-10-18 13:52:28 +00:00
118f11daf6
Setup information for Linux Rules - Set7 ( #3190 )
...
(cherry picked from commit 276c0f9cd3
2023-10-17 14:21:37 +00:00
b873968d3a
Setup information for Linux Rules - Set6 ( #3189 )
...
(cherry picked from commit 5a98208b53
2023-10-17 14:09:16 +00:00
a7e83681e3
Setup information for Linux Rules - Set5 ( #3188 )
...
(cherry picked from commit 2a48db0598
2023-10-17 13:46:52 +00:00
95f45de9cc
Setup information for Linux Rules - Set4 ( #3179 )
...
(cherry picked from commit 25b527c149
2023-10-17 13:35:14 +00:00
f99b745866
Setup information for Linux Rules - Set3 ( #3178 )
...
(cherry picked from commit d2c2987d72
2023-10-17 13:13:05 +00:00
34ef0f1752
Setup information for Linux Rules - Set2 ( #3177 )
...
(cherry picked from commit 1801a4ee7e
2023-10-17 13:01:51 +00:00
97ce9d7478
[Rule Tuning] Potential Masquerading as System32 DLL ( #3184 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit e4e68c2dd8
2023-10-17 11:35:05 +00:00
6bc1104f86
[Rule Tuning] Adjust Lucene queries to use Uppercase operators ( #3196 )
...
(cherry picked from commit 82685e36ce
2023-10-16 20:14:08 +00:00
cad094abbd
[New Rule] Adding DGA Rules from Advanced Analytic DGA Package ( #3102 )
...
* Adding DGA rules
* Adding references
* updated rule tags and queries
* Updating min stack version
* added logic to handle ml jobs
* added code comments for clarity
* removing subbed security docs folder
* added event dataset to queries for endpoint; updated note
* removed event dataset
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit a5a606e804
2023-10-16 19:54:30 +00:00
9426d79b1c
[Tuning] Adjusted Rules for Anti-Evasion ( #3163 )
...
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_incoming_wmi.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 24b0aa5c63
2023-10-16 17:02:08 +00:00
ef715864f4
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
(cherry picked from commit f584fb6e31
2023-10-15 21:18:03 +00:00
2f7471e749
[New Rule] Adding Data Exfiltration Rules from Advanced Analytic DED Package ( #3126 )
...
* Adding DED rules
* adding integration manifests and schemas for DED
* Updating min stack version
* updating manifests and schemas to match main
* added setup note; updated references
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit 97ff7fb26e
2023-10-14 17:29:24 +00:00
3351e87789
Improve exsisting setup configurations for Linux ( #3141 )
...
(cherry picked from commit 15718ea09e
2023-10-13 08:15:12 +00:00
094ad60ff6
[New Rule] New GitHub App Installed ( #3055 )
...
* new rule
* Update rules/integrations/github/execution_new_github_app_installed.toml
* Update rules/integrations/github/execution_new_github_app_installed.toml
edits from review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* change query from event.module to event.dataset
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 374c9c6257
2023-10-13 00:16:30 +00:00
d72996c401
[New Rule] Migrate Lateral Movement Detection Rules ( #3175 )
...
* adding LMD rules
* added setup note; updated references
* adds 2.0.0 lmd manifest and schema
* adjusted min-stack for non-ML rules
(cherry picked from commit 1e514afa57
2023-10-12 19:07:54 +00:00
788f2ce884
[Rule Tuning] PowerShell Rules Tuning ( #3169 )
...
(cherry picked from commit 3f2a709370
2023-10-11 21:03:44 +00:00
c9a1edd9fc
[New Rule] Potential curl CVE-2023-38545 Exploitation ( #3168 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Added setup guide
* Update execution_curl_CVE_2023_38545.toml
* File name change
* File name change
* Update dates
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
(cherry picked from commit 89cfdcd440
2023-10-11 14:48:20 +00:00
f66b82c0ec
[Tuning] Windows Execution Rule Tuning for UEBA ( #3107 )
...
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Mostly updated Execution tags, also new_terms conv
* removed index
* Removed index
* WMIPrvSE tuning
* Additional tuning
* Tuning & changes
* Additional tuning
* Applied unit test optimization
* Addressed feedback
* Update rules/windows/execution_command_shell_started_by_svchost.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* caseless unit testing fix
* fixed caseless executable unit test
* unit testing fix
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
* Added user ids to new terms
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/execution_unsigned_service_executable.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update execution_unsigned_service_executable.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit c2822e175c
2023-10-11 08:21:37 +00:00
d4d794b586
[Tuning] Windows Discovery Rule Tuning for UEBA ( #3097 )
...
* [Tuning] Win DR Tuning for UEBA
* Need to get used to Windows formatting
* Added additional content
* Updated min stack
* Added additional tuning
* Fixed unit testing for KQL optimization
* Update rules_building_block/discovery_internet_capabilities.toml
* Additional tuning
* Kuery optimization
* Additional tuning
* Additional tuning
* Additional tuning
* Additional tuning
* Unit testing optimization fix
* optimization
* tuning
* Optimization
* Update rules/windows/discovery_privileged_localgroup_membership.toml
* Added feedback
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.id as additional new_terms field
* Reworked a lot.
* kibana.alert.rule.rule_id to non-ecs-schema.json
* Fixed index by adding a dot
* fixed typo
* Added host.os.type:windows for signals
* Added additional tag
* Added Higher-Order Rule tag
* Stripped down signal rules down to two
* revert
* Update rules/windows/discovery_admin_recon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_generic_registry_query.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update discovery_generic_registry_query.toml
* Readded exclusions
* Added trailing wildcards for KQL
* Update discovery_privileged_localgroup_membership.toml
* Update rules_building_block/discovery_signal_unusual_user_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Formatting fix
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 4cdf52129a
2023-10-11 07:49:08 +00:00
bd7d94c1f3
[New Rule] Pot. Rev. Shell via Background Process ( #3114 )
...
(cherry picked from commit a46797b987
2023-10-06 21:20:37 +00:00
281d02e5d2
[New Rule] New GitHub Owner Added ( #3090 )
...
* [New Rule] New GitHub Owner Added
new rule
* name change
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ef8f5620e1
2023-10-06 20:03:14 +00:00
e9ecac7c75
[New Rule] GitHub Owner Role Granted to User ( #3087 )
...
* [New Rule] GitHub Owner Role Granted to User
new rule
* Update persistence_organization_owner_role_granted.toml
* updated integration schema
* changed timestamp_override
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9593412847
2023-10-06 19:50:02 +00:00
5152ea9c6f
[Tuning] CVE-2023-4911 ( #3160 )
...
(cherry picked from commit c3cc01333a
2023-10-06 11:18:47 +00:00
138b46a423
removing lmd rules and fixing version lock history ( #3159 )
...
(cherry picked from commit 57c05f0444
2023-10-05 16:22:34 +00:00
b6da24629e
[New Rule] PE via CVE-2023-4911 (Looney Tunables) ( #3158 )
...
* [New Rule] PE via CVE-2023-4911 (Looney Tunables)
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
(cherry picked from commit f4ad1f28e3
2023-10-05 14:47:09 +00:00
2b22d066fd
[Rule Tuning] Add filebeat Compatibility to Network Rules ( #2925 )
...
* add beats compatability to NPC rules
* added filebeat compatibility to 'Accepted Default Telnet Port Connection'
* added filebeat compatibility to 'Cobalt Strike Command and Control Beacon'
* added filebeat compatibility to 'Default Cobalt Strike Team Server Certificate'
* added filebeat compatibility to 'Roshal Archive (RAR) or PowerShell File Downloaded from the Internet'
* added filebeat compatibility to 'Possible FIN7 DGA Command and Control Behavior'
* added filebeat compatibility to 'Halfbaked Command and Control Beacon'
* added filebeat compatibility to 'IPSEC NAT Traversal Port Activity'
* added filebeat compatibility to 'SMTP on Port 26/TCP'
* added filebeat compatibility to 'RDP (Remote Desktop Protocol) from the Internet'
* added filebeat compatibility to 'VNC (Virtual Network Computing) from the Internet'
* added filebeat compatibility to 'VNC (Virtual Network Computing) to the Internet'
* added filebeat compatibility to 'RPC (Remote Procedure Call) from the Internet'
* added filebeat compatibility to 'RPC (Remote Procedure Call) to the Internet'
* added filebeat compatibility to 'SMB (Windows File Sharing) Activity to the Internet'
* removed extra space in query
* added filebeat compatibility to 'Inbound Connection to an Unsecure Elasticsearch Node'
* added filebeat compatibility to 'Abnormally Large DNS Response'
* fixed missing ending parenthesis
* added auditbeat to compatible rules
* addressed feedback
* removed filebeat and auditbeat due to incompatibility
* Update rules/network/command_and_control_cobalt_strike_beacon.toml
* Update rules/network/command_and_control_accepted_default_telnet_port_connection.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit b8ae2218f8
2023-10-03 19:11:07 +00:00
54303f84fc
adjusting minimum stack version for version control ( #3154 )
...
(cherry picked from commit 8d2b730bc5
2023-10-03 17:41:45 +00:00
fadd7fe320
[Rule Tuning] Update LMD Rules Min-Stack to 8.5 ( #3142 )
...
* updating min-stack to 8.5
* updated min stack comments
(cherry picked from commit 8650b26002
2023-09-27 20:23:45 +00:00
116a7de890
[New Rule] Adding Lateral Movement Rules from Advanced Analytic LMD Package ( #3119 )
...
* Adding Lateral Movement Detection rules
* added tags; adjusted tests; updated manifests and schemas
* added default value to build_integrations_schema
* combined analytic and non-dataset packages for related integrations
* adjusted machine learning definitions
* adjusted machine learning definitions
* removed splat for machine learning list due to 3.8 constraints
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 747ee7d593
2023-09-27 18:59:55 +00:00
18fb966776
[New Rule] Network Activity Detected via cat ( #3069 )
...
* [New Rule] Network Activity via cat
* Update command_and_control_cat_network_activity.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit b291317ea6
2023-09-18 07:56:50 +00:00
f4ce48063c
[New Rule] Github Repository Deleted ( #3056 )
...
* new rule
* Update rules/integrations/github/impact_github_repository_deleted.toml
* Update rules/integrations/github/impact_github_repository_deleted.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9146e0965d
2023-09-14 22:05:59 +00:00
09feb8b94f
[New Rule] GitHub Protected Branch Settings Changed ( #3054 )
...
* new rule file
* testing query change
* query changed back
* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* updated integration manifests with github schema
* Update defense_evasion_github_protected_branch_settings_changed.toml
added event.dataset to query
* added timestamp_override
* changed timestamp_override to @timestamp
* changed timestamp_override
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 904e37b732
2023-09-14 21:25:40 +00:00
0bc9b126f6
Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity ( #3091 )
...
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity
When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html
Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.
* simplified detection logic by utilising process.parent.args
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ccfc931fbd
2023-09-13 16:56:38 +00:00
ab3a15861c
[Security Content] Add missing osquery transforms ( #3088 )
...
* [Security Content] Add missing osquery transforms
* Revertable unit test
* .
* Revert "Revertable unit test"
This reverts commit 8c909fc2712b16e062890a63f31a6c080b81244a.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 4034436f06
2023-09-13 11:12:36 +00:00
711e0f3ab7
[New Rule] New BBR Rules - Part 2 ( #3029 )
...
* [New Rule] New BBR Rules - Part 2
* Update discovery_generic_account_groups.toml
* Update discovery_generic_account_groups.toml
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/execution_downloaded_shortcut_files.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/defense_evasion_unusual_process_extension.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update defense_evasion_unusual_process_extension.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ddb1f75352
2023-09-13 00:54:52 +00:00
4b2112f4a0
[New Rule] New BBR Rules - Part 3 ( #3034 )
...
* [New Rule] New BBR Rules - Part 3
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit af99186992
2023-09-13 00:34:12 +00:00
fa494e4c46
[New Rule] Potential UDP Reverse Shell ( #2906 )
...
* [New Rule] Potential UDP Reverse Shell Detected
* Title change
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* updated non-ecs-schema to update unmapped fields
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Removed netcat, added destination ip list
* Update execution_shell_via_udp_cli_utility_linux.toml
* Added precautionary exclusions
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
* replaced schema files
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit f8f3576971
2023-09-07 15:18:55 +00:00
63b817353a
[New Rule] Potential Meterpreter Reverse Shell ( #3007 )
...
* [New Rule] Potential Meterpreter Reverse Shell
* Update execution_shell_via_meterpreter_linux.toml
* Update execution_shell_via_meterpreter_linux.toml
* Update rules/linux/execution_shell_via_meterpreter_linux.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 15e71ec2e8
2023-09-07 15:10:01 +00:00
e9b1ebae3f
[New Rule] New BBR Rules - Part 5 ( #3052 )
...
* [New Rule] New BBR Rules - Part 5
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Tag work
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 3614f42b00
2023-09-05 21:42:38 +00:00
063386829c
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
(cherry picked from commit 4233fef238
2023-09-05 18:28:40 +00:00
4bb0cdc3f3
[Rule Tuning] Small Linux DR Tuning ( #3074 )
...
* [Rule tuning] Adressing community issue
* Changed title
* Changed IG title
(cherry picked from commit 6115a68aba
2023-09-05 12:26:47 +00:00
06e3367683
[New Rule] Sus User Privilege Enumeration via id ( #3049 )
...
(cherry picked from commit 3c64b454fb
2023-08-31 16:21:40 +00:00
6c074f21d8
[New Rule][BBR] WRITEDAC Access on Active Directory Object ( #3015 )
...
* [New Rule] WRITEDAC Access on Active Directory Object
* Update defense_evasion_write_dac_access.toml
* Fix Setup Instructions
* Update defense_evasion_write_dac_access.toml
* Update rules_building_block/defense_evasion_write_dac_access.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit fdd45148b8
2023-08-31 16:04:58 +00:00
3926384446
[New Rules] GDB Secret Dumping ( #3060 )
...
* [New Rules] GDB Secret Dumping
* Added references to BBR
* Update rules/linux/credential_access_gdb_init_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit f7d8d4752a
2023-08-31 15:47:30 +00:00
5c0ff8765b
[New Rule] File Creation, Exec and Self-Deletion ( #3045 )
...
* [New Rule] File Creation, Exec and Self-Deletion
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit b6ed215958
2023-08-31 15:38:03 +00:00
ba6952c242
[Rule Tuning] 3 tunings to reduce FPs ( #3058 )
...
* [Rule Tuning] 2 tunings to reduce FPs back to 0
* Added one more tune for community issue #3041
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
(cherry picked from commit 3588600d57
2023-08-31 15:22:59 +00:00
fb2fbf3589
[New Rule] Potential Disabling of AppArmor ( #3046 )
...
* [New Rule] Potential Disabling of AppArmor
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 2eaaf27f1e
2023-08-31 15:12:41 +00:00
Ruben Groenewoud