71186c8788
[Rule Tuning] Potential Persistence Through Run Control Detected ( #2857 )
...
* [Rule Tuning] changed rule type to new_terms
* Updated min stack comment
* Update persistence_rc_script_creation.toml
* Changed description, removed file.path from new_terms field because it is not necessary
* added host.id to new terms field and bumped up min stack
2023-06-22 13:39:36 +02:00
7d64dc2a87
[Rule tunings / New Rule] Kernel Unload and Enumeration ( #2838 )
...
* [Rule Tunings] Kernel Module Enumeration / Removal
* [Rule Tunings] Kernel Module Enumeration and Removal
* Deleted copy of wrong file
* EQL Conversion and made the rule more resilient
* Converted rules to EQL and made rules more resilient
* Removed unwanted rule from PR
* fixed unit tests
* fixed unit testing, removed endgame support
* Added a rule to detect kernel module enum via proc
* Did some additional tuning, 0 hits in RedSector now
2023-06-22 10:11:52 +02:00
082e92c95c
[Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion ( #2854 )
...
* adding new rule for Okta ThreatInsight threat suspected
* added promotion tag
* removed new rule and tuned existing
* added promotion tag
* Update rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-21 09:47:27 -04:00
6449cecd08
[FR] Add support for building block rules (BBR) ( #2822 )
...
* added test bbr
* initial implementation
* Added Unit test and exempted bbr from integrations
* fixed linting
* Add schema validation to building block rules
* add separate error messages
* fixed linting
* Add testing bbr validation
* fixed linting
* Add default values
* fixed linting
* added defaults
* fixed linting
* cleaned up test rule
* removed .gitkeep
* read .gitkeep
* Switch to using validates_schema
* addressing some linting
* fixed linting
* Update detection_rules/schemas/definitions.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* add env variable check
* fix skip function
* updated name
* Update detection_rules/schemas/definitions.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Add bbr validation unit test
* Clean up comments
* fix linting
* Move convert time to utils
* Moved to rules_building_block
* Add check for only bbr in bbr dir
* fix linting
* additional linting fix
* Changed to bbr rule loader
* fixed bbr default
* Updated error messages and README
* fixed more linting
* Updating root level README
* Fixed convert_time_span calls
* fixed typo in unit test logic and updated txt
* fixed error message
* updated comment for clarity
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated validation methods for clarity
* fix doctring location
* Fixed typo
* updated error messages.
* removed excess whitespace
* Add per rule bypass
* Add single rule bypass
* Split unit tests
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-20 09:00:30 -04:00
dc05f1d8f3
[New Rule] Sus Network Activity from Unknown Executable ( #2856 )
...
* [New Rule] Sus Network Activity from Unknown Executable
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added endgame support, changed min stack comment
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-14 23:27:29 +02:00
b4a218ed1c
[New Rule] Shared Object Created ( #2848 )
...
* [New Rule] Shared Object Created or Changed
* Removed sub technique
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* changed description slightly
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added T1574.006
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-13 22:51:07 +02:00
01334a28bd
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 ( #2853 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-13 09:48:24 -04:00
4f9f28c370
[New Rules] Cron Job / Systemd Service Creation ( #2847 )
...
* [New Rules] Cron Job/Systemd Service Creation
* Added execution to tags
* Added additional EndGame Support
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-13 09:44:44 +02:00
644d2f5b26
[New Rule] New Systemd Timer Created ( #2601 )
...
* [New Rule] New Systemd Timer Created
* improve query runtime performance
* added process.name entries for alert reduction
* attempt to fix gh unit testing failure
* added host.os.type==linux to fix unit test error
* Added OSQuery to investigation guides
* added additional process names
* removed investigation guides to add in future PR
* removed investigation guide tag
* Changed rule to new_terms rule to reduce FPs
* fixed query
* formatting fix
* Learnt another thing about KQL.. Formatting fix.
* unit test fix
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-13 09:15:47 +02:00
450e84ffa2
[FR] Add host family to data path ( #2839 )
...
* add rounding logic
* cleaned up event_sort
* fix linting
* Added host_family to ndjson file path
* linting fix
* Added ability to manually supply host_os_family
* fixed linting
* Update detection_rules/utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* linting updates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-12 16:03:33 -04:00
1e404cde34
[Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to query exceptions ( #2831 )
...
* Add Ssms.exe to query exceptions
* Changed updated_date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-12 16:15:47 -03:00
8db42da040
Limit backports to 8.3+ ( #2450 )
...
* Drop Rule Support for Outdated Stack Versions Less Than 8.3
* changed version lock key assignment logic and updated version lock file
* added comment to stack-schema-map file
* changed version lock key assignment logic to use custom Version method)
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* reverting version lock file to original
* updated version lock from adjusted comparison logic of stack versions
* updated logic in devtools; removed < 8.3.0 in version lock file
* trimmed lock version before merge
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-12 12:51:40 -04:00
665bf03ec0
[Rule Tuning] Remote System Discovery Commands ( #2834 )
2023-06-07 14:24:53 -03:00
601788c4df
Added Outlook.exe as a query exception ( #2814 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-06-06 17:47:25 +01:00
221e756b48
Adjusted exceptions to rule for Nessus ( #2774 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-06 17:39:34 +01:00
cc377b6634
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 ( #2824 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-05-31 12:42:12 -04:00
e0ceb5a434
adjust integrations file; add option for single integration update ( #2816 )
2023-05-31 11:00:58 -04:00
05aac4f371
[Security Content] Add Investigation Guides to Windows rules ( #2678 )
...
* [Security Content] Add Investigation Guides to Windows rules
* Update privilege_escalation_service_control_spawned_script_int.toml
* Update execution_reverse_shell_via_named_pipe.toml
* Apply suggestions from code review
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update execution_command_prompt_connecting_to_the_internet.toml
---------
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-05-26 10:25:41 -03:00
0d5e25e896
[Rule Tuning] Interactive Terminal Spawned via Python ( #2781 )
...
* [Rule Tuning] Interactive Terminal Spawned via Python
* Update execution_python_tty_shell.toml
* Update execution_python_tty_shell.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-05-26 10:19:35 -03:00
54c5c17aa3
[Rule Tuning & Addition] Potential Linux SSH Brute Force ( #2583 )
...
* [Rule tuning & Addition] SSH Bruteforce
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed rule_id change, added additional cidr match
* added host.os.type==linux
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Formatting style change
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Added related rules suggestion
* Added related rule suggestion
* added additional internal ip ranges
* added additional internal ip ranges
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-05-25 12:00:44 +02:00
8766734c89
[Bug] Adding additional dependency typing-extensions ( #2812 )
...
* added additional dependency
* addding pip cache purge
2023-05-24 10:23:35 -04:00
e9baebc2bc
bug fix for misspelled variable call ( #2800 )
2023-05-18 12:45:13 -04:00
7f249e6cc4
[Security Content] Add Google Workspace Investigation Guides ( #2540 )
...
* adding google workspace investigation guides
* updated 'Google Workspace Custom Gmail Route Created or Modified' guide
* updated 'Google Workspace Custom Gmail Route Created or Modified' guide
* updated 'Application Removed from Blocklist in Google Workspace'
* updated 'Domain Added to Google Workspace Trusted Domains'
* updated 'Google Workspace Bitlocker Setting Disabled'
* updated 'Google Workspace Admin Role Deletion'
* updated 'Application Added to Google Workspace Domain'
* updated 'Google Workspace Admin Role Assigned to a User'
* updated 'Google Workspace Role Modified'
* updated 'Google Workspace Custom Admin Role Created'
* updated 'Google Workspace API Access Granted via Domain-Wide Delegation of Authority'
* updated 'Google Workspace Password Policy Modified'
* updated 'Google Workspace Restrictions for Google Marketplace Modified to Allow Any App'
* updated 'Google Workspace User Organizational Unit Changed'
* reverted 'Google Workspace User Group Access Modified to Allow External Access'
* removed new lines
* added 'Investigation Guide' tags
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_restrictions_for_google_marketplace_changed_to_allow_any_app.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/defense_evasion_google_workspace_bitlocker_setting_disabled.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_password_policy_modified.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/persistence_google_workspace_2sv_policy_disabled.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Update rules/integrations/google_workspace/collection_google_drive_ownership_transferred_via_google_workspace.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed duplicate file
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
2023-05-18 10:16:20 -04:00
836c803e9d
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8 ( #2797 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4,8.5,8.6,8.7,8.8
* kicking off testing
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-05-17 12:16:54 -04:00
0b3f603179
[Rule Tuning] Adding Hidden File Attribute via Attrib ( #2726 )
...
* [New Rule] Adding Hidden File Attribute via Attrib
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-17 10:23:11 -03:00
9f734c2c1f
[Rule Tuning] System Information Discovery via Windows Command Shell ( #2741 )
2023-05-17 09:58:21 -03:00
0eed8ce27f
[New Rule] SSH Process Launched From Inside A Container ( #2794 )
...
* [New Rule] SSH Process Launched From Inside A Container
new toml rule file
* changed "not" query
changed query to !=
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-05-16 17:32:58 -04:00
b0838cc2cb
[New Rule] SSH Connection Established Inside A Running Container ( #2793 )
...
* [New Rule] SSH Connection Established Inside A Running Container
new rule toml
* Update initial_access_ssh_connection_established_inside_a_container.toml
moved order of tactics
* Apply suggestions from code review
updated spacing based on code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 16:56:52 -04:00
515d393828
[New Rule] SSH Authorized Keys File Modified Inside a Container ( #2792 )
...
* [New Rule] SSH Authorized Keys File Modified Inside a Container
new rule toml
* toml file name change
changed duplicate toml file name
* Update persistence_ssh_authorized_keys_modification_inside_a_container.toml
added time intervals
* removed redundant event.type
removed event.type fields
* added back event.type and removed event.action per reviewer suggestion
removed redundant event.action fields
2023-05-16 16:30:17 -04:00
648dd8b3ed
[New Rule] Interactive Exec Command Launched Against A Running Container ( #2791 )
...
* [New Rule] Interactive Exec Command Launched Against A Running Container
new rule toml
* Update execution_interactive_exec_to_container.toml
updated reference links
* Update execution_interactive_exec_to_container.toml
fixed the comments
* Update execution_interactive_exec_to_container.toml
* Update execution_interactive_exec_to_container.toml
removed process.session_leader.same_as_process
* Update execution_interactive_exec_to_container.toml
added time intervals
* Apply suggestions from code review
updated spacing
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 16:09:10 -04:00
9e3dc112b3
[New Rule] Sensitive Files Compression Inside A Container ( #2790 )
...
new rule toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:49:42 -04:00
d8e9874d54
[New Rule] Sensitive Keys Or Passwords Searched For Inside A Container ( #2789 )
...
* [New Rule] Sensitive Keys Or Passwords Searched For Inside A Container
new rule toml
* description update
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* added locate and mlocate based on review suggestion
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 15:29:54 -04:00
73f87ad7e6
[New Rule] Suspicious Network Tool Launched Inside A Container ( #2759 )
...
* [New Rule] Suspicious Network Tool Launched Inside A Container
new rule
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* update based on reviews
added additional tools, added false positives section, raised risk score
* Update discovery_suspicious_network_tool_launched_inside_a_container.toml
adjusted tags
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:21:42 -04:00
5fd155849e
[New Rule] File Made Executable via Chmod Inside A Container ( #2757 )
...
* [New Rule] File Made Executable via Chmod Inside A Container
new rule
* edit threat matrix urls
add final / to reference urls
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
added Defense Evasion tag
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
adjusted tags
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 15:15:49 -04:00
4c996490ec
[New Rule] Netcat Listener Established Inside A Container ( #2756 )
...
* [New Rule] Netcat Listener Established Inside A Container
new rule toml
* remove references
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* remove false_positives
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* adjust from field from s to m for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update execution_netcat_listener_established_inside_a_container.toml
updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables
* optimized query
optimized query to deduplicate fields based on review feedback
* Update execution_netcat_listener_established_inside_a_container.toml
updated query comment
* Update execution_netcat_listener_established_inside_a_container.toml
added false positive section
* Update execution_netcat_listener_established_inside_a_container.toml
adjusted tags
* removed the != end query parameter
removed the exclusion of end events for this to account for short-lived netcat listener processes
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-16 15:08:20 -04:00
e954b6d7eb
[New Rule] Interactive Shell Spawned From Inside a Container ( #2752 )
...
* Create execution_interactive_shell_spawned_from_inside_a_container.toml
new rule
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
edited threat matrix
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
changed boolean in query from string type
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
added timestamp_override field
* Apply suggestions from code review
readability from field change, removed references field
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
index spacing, rule name, comment change
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
updated description, updated query to utilize container.id field to distinguish container vs linux rule, remove unneccesary comments and simplify the query.
* Update rule query
updated rule query to use process.executable and an or field for event.action
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
adjusted tags
* changed "not" in query
event.action != end based on review suggestion
* spacing around comments
* removed ending wildcard causing FPs
removed ending wildcard for process.args /sh as it's causing FPs and will risk being too noisy
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-16 15:02:20 -04:00
ee86144565
[New Rule] Container Management Binary Run Inside A Container ( #2754 )
...
* [New Rule] Container Management Binary Run Inside A Container
new rule
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Apply suggestions from code review
description change, name change, index spacing
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update false_positives and query
added false positives section and updated query with container.id field
* Update execution_container_management_binary_launched_inside_a_container.toml
adjusted tags
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-16 14:41:27 -04:00
24974108f3
updated ATT&CK 13.0 to 13.1 ( #2795 )
2023-05-16 11:01:52 -04:00
9ebffb44ff
[New Rules] Ransomware Encryption & Note Creation ( #2652 )
...
* [New Rules] Ransomware Encryption & Note Creation
* changed description
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 11:30:00 +02:00
d017156454
[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs ( #2761 )
...
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update test_all_rules.py
* Update test_all_rules.py
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-15 20:31:59 -03:00
ea9bfc3e2b
Update trigger-react.yml ( #2779 )
2023-05-05 13:21:54 -04:00
1293365a7f
Rule to detect Potential Linux Credential Dumping via Proc Filesystem ( #2751 )
2023-05-05 22:23:15 +05:30
26258f806a
[New Rules] Persistence through MOTD ( #2608 )
...
* [New Rules] Persistence through MOTD
* fixed unit error test by adding timestamp_override
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added host.os.type == "linux"
* removed ability to bypass chmod by using e.g. 700
* Added endgame support, changed query
* Changed query
* updated risk_score
* added OSQuery to investigation guides
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guides to add in future PR
* removed investigation guide tag
* Changed rule to new terms rule for FP reduction
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-05 10:29:15 +02:00
1aea1ee9bb
[New rule] Sus File Creation in init.d for Persistence Detected ( #2653 )
...
* [New Rule] Init.d File and Service Creation
* Changed rule name
* [New Rule] Sus File Creation init.d Persistence
* Added Endgame compatibility
* added touch
* Added OSQuery to investigation guide
* added additional processes
* removed investigation guide to add in sep PR
* changed rule name
* removed investigation guide tag
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_init_d_file_creation.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-05 09:54:42 +02:00
09719dd0c5
[Rule Tuning] Potential Shell via Web Server ( #2585 )
...
* tuned web shell logic, and converted to EQL
* Removed old, created new rule to bypass "type" bug
* Revert "Removed old, created new rule to bypass "type" bug"
This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133.
* Revert "tuned web shell logic, and converted to EQL"
This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca.
* Deprecated old rule, added new
* formatting fix
* removed endgame index
* Fixed changes captured as edited, not created
* Update rules/linux/persistence_shell_activity_through_web_server.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* fix conflict
* added host.os.type==linux for unit testing
* removed wildcards in process.args
* Update rules/linux/persistence_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed conflict by changing file name and changes
* Trying to resolve the GH conflict
* attempt to fix GH conflict #2
* Update persistence_shell_activity_by_web_server.toml
* Added endgame support
* Added OSQuery to investigation guide
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guide to add in future PR
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-05-05 09:47:49 +02:00
c443aadbe1
[FR] Add base pipeline to trigger react ( #2768 )
2023-05-04 16:44:28 -04:00
6655932190
[Rule Tuning] Startup or Run Key Registry Modification ( #2766 )
...
* [Rule Tuning] Startup or Run Key Registry Modification
* Update persistence_run_key_and_startup_broad.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-04 09:42:12 -03:00
81bef59236
[FR] Generate mdx docs ( #2718 )
2023-05-03 16:27:30 -04:00
71d93e875e
[Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms ( #2760 )
...
* [Rule Tuning] Tuning 'AWS Access Secret in Secrets Manager' to New Terms
* updated new terms
2023-05-03 09:28:59 -04:00
6524acf98a
[rule tuning] modified std auth module or config ( #2737 )
2023-05-03 09:32:33 +02:00
Ruben Groenewoud