sigma-rules

Author	SHA1	Message	Date
Justin Ibarra	6bdfddac8e	Expand timestamp override tests (#1907 ) * Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields	2022-04-01 15:27:08 -08:00
Terrance DeJesus	648daf1237	Prep for Creation of 8.3 Branch (#1906 ) * updating with changes for 8.3 prep * adding updates * adjusted version in packages.yml	2022-04-01 13:33:18 -08:00
Terrance DeJesus	93edc44284	[Rule Tuning] Timeline Templates For Windows and Linux (#1892 ) * added comprehensive file timeline to Hosts File Modified rule * added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule * updated rules to have generic instead of comprehensive * updated several rules with timeline ID and timeline title values * changed updated_date for threat intel fleet integrations * added missing templates to timeline_templates dict in definitions.py * added comprehensive timeline templates to alerts after definitions.py was updated * updated rules with comprehensive timeline templates and added min stack comments and versions * removing timeline template changes which is tracked in #1904 * Update rules/linux/execution_python_tty_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Delete Pipfile Removing pipfile * Delete Pipfile.lock deleting pipfile.lock * Update rules/windows/execution_command_shell_started_by_svchost.toml updating title Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-04-01 13:44:35 -04:00
Terrance DeJesus	e72031a71a	added comprehensive timeline template definitions (#1905 )	2022-04-01 08:51:54 -08:00
Jonhnathan	e1b4a0d87c	Svchost spawning Cmd - False Positives Tuning (#1894 )	2022-03-31 19:28:46 -03:00
Jonhnathan	8a59b49fea	[Security Content] Adjust Investigation Guides to be less generic (#1805 ) * PowerShell Suspicious Script with Audio Capture Capabilities * PowerShell Keylogging Script * PowerShell MiniDump Script * Potential Process Injection via PowerShell * PowerShell Suspicious Discovery Related Windows API Functions * Suspicious Portable Executable Encoded in Powershell Script * PowerShell PSReflect Script * Startup/Logon Script added to Group Policy Object * Group Policy Abuse for Privilege Addition * Scheduled Task Execution at Scale via GPO * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Adjust Posh desc * . * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * . * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update privilege_escalation_group_policy_scheduled_task.toml * Update rules/windows/privilege_escalation_group_policy_iniscript.toml Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2022-03-31 11:29:30 -03:00
Jonhnathan	a3d7427d29	[Security Content] Add Investigation Guides - 2 (#1822 ) * Add Investigation Guides for Windows Rules - First half * + 1/2 * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update credential_access_mod_wdigest_security_provider.toml * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update defense_evasion_amsienable_key_mod.toml * Update defense_evasion_amsienable_key_mod.toml * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Update command_and_control_certutil_network_connection.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Update collection_winrar_encryption.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co>	2022-03-30 14:43:55 -03:00
Justin Ibarra	5214209f8d	reset evasion rules (#1902 )	2022-03-29 15:47:48 -08:00
Justin Ibarra	44facd7c2a	reset linux evasion rules (#1901 )	2022-03-29 15:23:08 -08:00
Justin Ibarra	8d09bca633	Re-add c89 rules (#1900 )	2022-03-29 15:01:48 -08:00
Justin Ibarra	507a23ba01	temp remove rule to readd with backport (#1898 )	2022-03-29 14:52:04 -08:00
Colson Wilhoit	bcec8a4479	Linux Shell Evasion Rule Tuning (#1878 ) * Linux Shell Evasion Rule Tuning * Update execution_python_tty_shell.toml * Update rules/linux/execution_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_apt_binary.toml * Update rules/linux/execution_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_awk_binary_shell.toml * Update rules/linux/execution_c89_c99_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_c89_c99_binary.toml * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml * Update rules/linux/execution_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_find_binary.toml * Update rules/linux/execution_gcc_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_gcc_binary.toml * Update rules/linux/execution_mysql_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_mysql_binary.toml * Update rules/linux/execution_nice_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_nice_binary.toml * Update rules/linux/execution_ssh_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_ssh_binary.toml * Update execution_perl_tty_shell.toml * Update execution_python_tty_shell.toml * Update rules/linux/execution_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_c89_c99_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_gcc_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_mysql_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_nice_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_ssh_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-29 09:16:21 -05:00
shashank-elastic	fb40a4a8c7	Description updation across multiple rules (#1893 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-28 22:54:37 +05:30
Damià Poquet Femenia	9ad3d39a32	Add Jamf Connect exception for macOS users enumeration rule (#1891 ) * Update discovery_users_domain_built_in_commands.toml Jamf Connect uses ldapsearch to synchronize user passwords. * change rule update date	2022-03-28 13:13:28 -03:00
Stijn Holzhauer	3d4eaf4caf	Adding path as stated in #1812 (#1889 ) * Adding path as stated in #1812 * Bumping updated_date Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-27 08:07:38 -03:00
Jonhnathan	940689576d	[New Rule] Account configured with never Expiring Password (#1790 ) * Create persistence_nopasswd_account.toml * Update persistence_nopasswd_account.toml * Update persistence_nopasswd_account.toml * . * Update persistence_dontexpirepasswd_account.toml * Update persistence_dontexpirepasswd_account.toml	2022-03-26 08:19:28 -03:00
Justin Ibarra	cbeb767156	Add kibana-update and fleet-release templates (#1887 )	2022-03-25 23:44:35 -08:00
Justin Ibarra	3d088787d2	remove update templates	2022-03-25 23:36:40 -08:00
Justin Ibarra	a843337350	Add kibana-update and fleet-release issue tempaltes	2022-03-25 23:21:12 -08:00
Justin Ibarra	d71154b272	Add type to deprecated rules in version.lock (#1881 )	2022-03-24 17:42:13 -08:00
Justin Ibarra	17ef6c558c	[Bug] Fix bug in version_lock.py (#1880 )	2022-03-24 15:41:16 -08:00
Jonhnathan	cdb3dd6dbe	[Security Content] Add Investigation Guides (#1799 ) * Update impact_backup_file_deletion.toml * Update credential_access_seenabledelegationprivilege_assigned_to_user.toml * Update defense_evasion_ms_office_suspicious_regmod.toml * Update credential_access_posh_request_ticket.toml * Update credential_access_disable_kerberos_preauth.toml * Fix missing hyphen * Update rules/windows/credential_access_posh_request_ticket.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/windows/credential_access_posh_request_ticket.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update credential_access_posh_request_ticket.toml * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Remove extra line * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Lint and adjusts * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>	2022-03-24 18:16:00 -03:00
shashank-elastic	3474f8c8e4	flock shell evasion threat (#1863 ) * flock shell evasion threat * Update rules/linux/execution_flock_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_flock_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-24 15:52:18 -05:00
shashank-elastic	152477904f	vim shell evasion threat (#1865 ) * vim shell evasion threat * Update rules/linux/execution_vi_binary.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_vi_binary.toml * Update rules/linux/execution_vi_binary.toml * Update rules/linux/execution_vi_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-24 15:37:20 -05:00
Justin Ibarra	11ec9c230e	Prevent changes to rule type for locked rules (#1855 ) * add rule type to the rule lock_info * add check in VersionLock; add type to version.lock * print changes only on save	2022-03-24 11:56:27 -08:00
Justin Ibarra	f4c94af994	[Bug] Version bump with previous (#1870 ) * save changes to top level for route C; verbose prints * update top level on forked rule without overriding min_stack_version * add check to ensure previous version !> current	2022-03-24 11:12:06 -08:00
Mika Ayenson	1f015ebe85	1554 update eql schemas to fail validation on text fields (#1866 ) * Ensure kql2eql conversion doesnt support `text` fields * Add unit test cases for`text` not supported in eql * test `field not recognized` in the rule_validator and output a verbose message. * use elasticsearch_type_family to lookup text mappings Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-23 16:22:26 -04:00
Jonhnathan	df7bed4408	[New Rule] User account exposed to Kerberoasting (#1789 ) * Create credential_access_spn_attribute_modified.toml * Update credential_access_spn_attribute_modified.toml * Update non-ecs-schema.json * Update rules/windows/credential_access_spn_attribute_modified.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2022-03-23 16:31:47 -03:00
Samirbous	c254d0de8b	[New Rule] Suspicious Remote Registry Access via SeBackupPrivilege (#1783 ) * [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege https://github.com/mpgn/BackupOperatorToDA https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp Detection mainly occurs on AD/DC side : EQL ``` sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m [iam where event.action == "logged-in-special" and winlog.event_data.PrivilegeList : "SeBackupPrivilege"] [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] ``` ``` "sequences" : [ { "join_keys" : [ "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "0x2a23a5" ], "events" : [ { "_index" : ".ds-logs-system.security-default-2022.02.11-000001", "_id" : "L68HAn8BQQK22TUvoE_k", "_source" : { "agent" : { "name" : "01566s-win16-ir", "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "type" : "filebeat", "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8", "version" : "8.0.0" }, "winlog" : { "computer_name" : "01566s-win16-ir.threebeesco.com", "process" : { "pid" : 624, "thread" : { "id" : 756 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x2a23a5" }, "channel" : "Security", "event_data" : { "SubjectUserName" : "samir", "SubjectDomainName" : "3B", "SubjectLogonId" : "0x2a23a5", "PrivilegeList" : [ "SeBackupPrivilege", "SeRestorePrivilege" ], "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106" }, "opcode" : "Info", "record_id" : "2987813", "task" : "Special Logon", "event_id" : "4672", "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "version" : "8.0.0", "snapshot" : false }, "message" : """Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-220106 Account Name: samir Account Domain: 3B Logon ID: 0x2A23A5 Privileges: SeBackupPrivilege SeRestorePrivilege""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-02-16T10:15:26.330Z", "ecs" : { "version" : "1.12.0" }, "related" : { "user" : [ "samir" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "01566s-win16-ir", "os" : { "build" : "14393.3659", "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)", "name" : "Windows Server 2016 Datacenter", "type" : "windows", "family" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "172.16.66.36", "fe80::ffff:ffff:fffe", "fe80::5efe:ac10:4224" ], "name" : "01566s-win16-ir.threebeesco.com", "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "mac" : [ "00:50:56:24:6c:d2", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-02-16T10:15:28Z", "code" : "4672", "provider" : "Microsoft-Windows-Security-Auditing", "created" : "2022-02-16T10:15:27.675Z", "kind" : "event", "action" : "logged-in-special", "category" : [ "iam" ], "type" : [ "admin" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "3B", "name" : "samir", "id" : "S-1-5-21-308926384-506822093-3341789130-220106" } } }, { "_index" : ".ds-logs-system.security-default-2022.02.11-000001", "_id" : "Mq8HAn8BQQK22TUvoE_k", "_source" : { "agent" : { "name" : "01566s-win16-ir", "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8", "type" : "filebeat", "version" : "8.0.0" }, "winlog" : { "computer_name" : "01566s-win16-ir.threebeesco.com", "process" : { "pid" : 4, "thread" : { "id" : 1176 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x2a23a5" }, "channel" : "Security", "event_data" : { "ShareName" : """\\\IPC$""", "IpPort" : "50071", "SubjectLogonId" : "0x2a23a5", "AccessMask" : "0x12019f", "ObjectType" : "File", "SubjectUserName" : "samir", "AccessReason" : "-", "SubjectDomainName" : "3B", "IpAddress" : "172.16.66.25", "AccessMaskDescription" : [ "List Object", "Read Property", "Create Child", "Control Access", "Delete Child", "List Contents", "SELF", "SYNCHRONIZE", "READ_CONTROL" ], "RelativeTargetName" : "winreg", "AccessList" : """%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 """, "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106" }, "opcode" : "Info", "record_id" : "2987816", "event_id" : "5145", "task" : "Detailed File Share", "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "version" : "8.0.0", "snapshot" : false }, "message" : """A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-220106 Account Name: samir Account Domain: 3B Logon ID: 0x2A23A5 Network Information: Object Type: File Source Address: 172.16.66.25 Source Port: 50071 Share Information: Share Name: \\\IPC$ Share Path: Relative Target Name: winreg Access Request Information: Access Mask: 0x12019F Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes Access Check Results: -""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-02-16T10:15:26.336Z", "ecs" : { "version" : "1.12.0" }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "01566s-win16-ir", "os" : { "build" : "14393.3659", "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)", "name" : "Windows Server 2016 Datacenter", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "172.16.66.36", "fe80::ffff:ffff:fffe", "fe80::5efe:ac10:4224" ], "name" : "01566s-win16-ir.threebeesco.com", "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "mac" : [ "00:50:56:24:6c:d2", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-02-16T10:15:28Z", "code" : "5145", "provider" : "Microsoft-Windows-Security-Auditing", "kind" : "event", "created" : "2022-02-16T10:15:27.675Z", "action" : "Detailed File Share", "dataset" : "system.security", "outcome" : "success" } } } ] }, ``` * Update non-ecs-schema.json * Update rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-03-23 19:42:03 +01:00
Justin Ibarra	46c2383e5b	[New Rule] Okta User Session Impersonation (#1867 ) * [New Rule] Okta User Session Impersonation Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-03-22 16:11:29 -08:00
Stijn Holzhauer	2ed97d2e8c	[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion (#1833 ) * Adding event.provider * Removing new line * Updating updated_date field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-03-22 20:36:53 -03:00
shashank-elastic	22367d3702	crash shell evasion threat (#1861 )	2022-03-22 18:46:05 +05:30
shashank-elastic	2ab5a1f44a	[New Rule] cpulimit shell evasion threat (#1851 ) * cpulimit shell evasion threat * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-21 12:16:53 -05:00
Terrance DeJesus	096723b2a1	[Rule Tuning] Symbolic Link to Shadow Copy Created (#1830 ) * fixed duplicated file name * deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied * moved rule back to production, added investigation notes and sequencing to EQL query * added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes * updating with minor changes * adjusted related rules * adjusted investigation notes * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * TOML linted and adjusted updated date Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-18 11:08:29 -04:00
Mika Ayenson	84b7ce6582	update beats master branch ref to main (#1853 ) * update beats master branch ref to main * update filename of master beat schema to main * delete old main beats schema * rebuilt main beats archive	2022-03-18 10:06:34 -04:00
shashank-elastic	7feebc2c10	Updation of Mitre Tactic and Threats (#1850 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-18 15:06:24 +05:30
Jonhnathan	22dd7f0ada	Deprecate PrintNightmare Rules (#1852 )	2022-03-17 19:39:36 -03:00
Jonhnathan	a6edb7cfcf	Update defense_evasion_posh_process_injection.toml (#1838 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-17 19:37:42 -03:00
shashank-elastic	b492258fb0	[New Rule] busybox shell evasion threat (#1842 ) * busybox shell evasion threat Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-17 09:54:46 +05:30
Justin Ibarra	eb2f62940d	Bump EQL to 0.9.12 (#1849 ) * Bump EQL to 0.9.12 * remove duplicate jsonschema	2022-03-16 16:29:33 -08:00
shashank-elastic	f7735df1d5	[New Rule] c89/c99 shell evasion threat (#1840 ) * c88/c99 shell evasion threat	2022-03-16 23:06:34 +05:30
Jonhnathan	e0f8f61ca0	Update persistence_user_account_added_to_privileged_group_ad.toml (#1845 )	2022-03-16 13:06:04 -03:00
Jonhnathan	b5f06f455c	Update defense_evasion_microsoft_defender_tampering.toml (#1837 )	2022-03-14 20:07:39 -03:00
Jonhnathan	53fbc50ea1	[New Rule] AdminSDHolder SDProp Exclusion Added (#1795 ) * AdminSDHolder SDProp Exclusion Added Initial Rule * Update persistence_sdprop_exclusion_dsheuristics.toml * Update rules/windows/persistence_sdprop_exclusion_dsheuristics.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-03-10 14:17:01 -03:00
shashank-elastic	c05f3c8aa3	gcc shell evasion threat (#1824 )	2022-03-10 22:41:31 +05:30
shashank-elastic	b49cce9fcb	ssh shell evasion threat (#1827 )	2022-03-10 22:39:05 +05:30
shashank-elastic	ddbc1de45c	mysql shell evasion threat (#1823 )	2022-03-10 22:36:35 +05:30
shashank-elastic	334aa12aaf	expect shell evasion threat (#1817 ) * expect shell evasion threat * expect shell evasion threat * Update rules/linux/defense_evasion_expect_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 14:22:56 -06:00
shashank-elastic	2b6a357a4b	nice shell evasion threat (#1820 ) * nice shell evasion threat * Update rules/linux/defense_evasion_nice_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 13:59:16 -06:00
shashank-elastic	f9503f2096	[Rule Tuning] Rule description updates (#1811 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 19:33:11 +05:30

1 2 3 4 5 ...

1012 Commits