724e34ba95
[Rule Tuning] Windows DR Tuning - 9 ( #3354 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-01-07 09:49:33 -03:00
a0f82c3f12
[Tuning] Update min_stack for container rules new ecs field ( #3370 )
...
* Update privilege_escalation_mount_launched_inside_a_privileged_container.toml
update min_stack and comments
* Update privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
update min_stack and comments
2024-01-05 18:42:42 -05:00
10b241dcc5
[New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container ( #3241 )
...
* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container
This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.
* added references
* Apply suggestions from code review
* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Apply suggestions from code review
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-01-05 10:28:24 -05:00
db5e1e5cf2
[New Rule] Mount Launched Inside a Privileged Container ( #3245 )
...
* [New Rule] Mount Launched Inside a Privileged Container
This rule detects the use of the mount utility from inside a privileged container. The mount command is used to make a
device or file system accessible to the system, and then to connect its root directory to a specified mount point on the
local file system. When launched inside a privileged container--a container deployed with all the capabilities of the
host machine-- an attacker can access sensitive host level files which could be used for further privilege escalation
and container escapes to the host machine. Any usage of mount inside a running privileged container should be further
investigated.
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-01-05 10:17:55 -05:00
8e1dad0aeb
[New Rule] Potential Container Escape via Modified notify_on_release File ( #3244 )
...
* [New Rule] Potential Container Escape via Modified notify_on_release File
This rule detects modification of the cgroup notify_on_release file from inside a container. When the notify_on_release
flag is enabled (1) in a cgroup, then whenever the last task in the cgroup exits or attaches to another cgroup, the
command specified in the release_agent file is run and invoked from the host. A privileged container with SYS_ADMIN
capabilities, enables a threat actor to mount a cgroup directory and modify the notify_on_release flag in order to take
advantage of this feature, which could be used for further privilege escalation and container escapes to the host
machine.
* Apply suggestions from code review
* suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-01-04 22:14:39 -05:00
0a37df713b
[New Rule] Potential Container Escape via Modified release_agent File ( #3242 )
...
* [New Rule] Potential Container Escape via Modified release_agent File
This rule detects modification of the CGroup release_agent file from inside a privileged container. The release_agent is a script that is executed at the termination of any process on that CGroup and is invoked from the host. A privileged container with SYS_ADMIN capabilities, enables a threat actor to mount a CGroup directory and modify the release_agent which could be used for further privilege escalation and container escapes to the host machine.
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-01-04 21:24:54 -05:00
d7b62395e7
[FR] Add --include-metadata argument to export-rules command ( #3365 )
...
* added --include-metadata argument to export-rules command
* added type hinting in method definitions
* changed add_metadata to include_metadata
* adjusted argument name to include_metadata in command
* Update detection_rules/main.py
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
* fixed flake error
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-01-04 16:02:48 -05:00
7b1215ccf1
[Rule Tuning] Windows DR Tuning - 8 ( #3353 )
...
* [Rule Tuning] Windows DR Tuning - 8
* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/defense_evasion_via_filter_manager.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/defense_evasion_via_filter_manager.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-01-03 12:00:29 -03:00
b7e21d8c29
[New] Potential Evasion via Windows Filtering Platform ( #3356 )
...
* Create defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update rules/windows/defense_evasion_windows_filtering_platform.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_windows_filtering_platform.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-01-03 12:50:12 +00:00
f37d13f29b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3358 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-01-02 12:25:33 -05:00
5a96f4d51a
Merge branch 'main' of github.com:elastic/detection-rules
2024-01-02 11:15:01 -06:00
7e85854e7b
deprecating 'Malicious Remote File Creation' ( #3342 )
2023-12-20 08:49:45 -05:00
341499a2bc
[Deprecate] Potential Process Herpaderping Attempt ( #3336 )
...
* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml
* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml
* ++
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-12-19 15:59:48 -05:00
eafec1d857
[Bug] Fix BBR Folder Location Requirements for Specific Integrations ( #3348 )
...
* fixing bug in BBR rule folder location
* fixed export rules missing BBR rules
* adjusted directory loading
* Update tests/test_all_rules.py
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2023-12-19 15:36:45 -05:00
b32733601a
[Rule Tuning] Linux BBR Tuning ( #3347 )
...
* [Rule Tuning] Linux BBR Tuning
* Update persistence_creation_of_kernel_module.toml
2023-12-19 20:17:53 +01:00
578936d37a
[Security Content] Add Windows Investigation Guides ( #3257 )
...
* [Security Content] Add Windows Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
2023-12-19 12:38:28 -03:00
2f468ddcba
[Rule Tuning] Windows DR Tuning - 7 ( #3344 )
...
* [Rule Tuning] Windows Rule Tuning -1
* Update command_and_control_ingress_transfer_bits.toml
2023-12-18 14:27:55 -03:00
91a757a018
[Security Content] Add Investigation Guides to Linux C2 Rules ( #3247 )
...
* [Security Content] Add Investigation Guides to Linux C2 Rules
* Applied feedback
2023-12-18 17:02:40 +01:00
203c228249
[Rule Tuning] Adjust Attempt to Deactivate MFA for an Okta User Account Okta Rule ( #3345 )
...
* tuning 'MFA Deactivation with no Re-Activation for Okta User Account'
* adjusted query to include like function
2023-12-18 09:14:10 -05:00
84824c67fd
[Tuning & New Rule] Linux Reverse Shell & DR Tuning ( #3254 )
...
* [Rule Tuning & New Rule] Linux Reverse Shell
* [Tuning & New Rule] Linux Reverse Shells
* Name change
* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_shell_via_child_tcp_utility_linux.toml
* Update execution_shell_via_background_process.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2023-12-18 09:36:21 +01:00
a6c5cfc418
[Rule Tuning] Optimize query for Query Registry using Built-in Tools ( #3330 )
...
* [Rule Tuning] Optimize query for Query Registry using Built-in Tools
* reduce history window to 7d
* use args vs command_line wildcards
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2023-12-14 19:55:36 -07:00
4b183be124
[Tuning] Suspicious Script Object Execution ( #3339 )
...
* Update defense_evasion_suspicious_scrobj_load.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-14 16:49:54 -07:00
07b952b7bc
[Tuning] Remote Scheduled Task Creation ( #3337 )
...
* Update non-ecs-schema.json
* add timestamp override
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-14 16:39:52 -07:00
aff7f37b92
[Rule Tuning] Optimize query for Installation of Custom Shim Databases ( #3331 )
...
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-12-14 15:04:08 -07:00
a7b9a61942
[Rule Tuning] Optimize query for Direct Outbound SMB Connection ( #3329 )
...
* [Rule Tuning] Optimize query for Direct Outbound SMB Connection
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-12-14 11:21:46 -07:00
8b2aed4fc0
[Tuning] Suspicious Managed Code Hosting Process ( #3338 )
...
* Update defense_evasion_suspicious_managedcode_host_process.toml
* Update defense_evasion_suspicious_managedcode_host_process.toml
2023-12-14 17:51:35 +00:00
727c23e3d2
[Tuning] Multiple Logon Failure Followed by Logon Success ( #3340 )
...
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
2023-12-14 17:41:06 +00:00
7a4f1224dc
[Rule Tuning] Account Password Reset Remotely ( #3335 )
...
* [Rule Tuning] Account Password Reset Remotely
- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)
* Update persistence_remote_password_reset.toml
2023-12-14 17:22:19 +00:00
9a9f5437f2
Update Advanced Analytics config guides ( #3302 )
...
* Updating config guides for Advanced Analytics rules
* More updates
* Update setup instructions for LMD
* Adding more guides
* update TestRuleTiming unit test to ignore advanced analytic rules
* fixed flake error
* Moving config guides under setup instead of note
* Removing leading and trailing whitespace
* Updates as requested by PM
* Updating related integrations, minor updates to setup guides
* fixing unit tests to ignore analytic packages with multiple integration tags
* Update tests/test_all_rules.py
* fixing linting errors
---------
Co-authored-by: Kirti Kirti <kirti.kirti@elastic.co >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-12-13 07:53:41 -08:00
a39a52360a
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3319 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-12-12 13:23:14 -05:00
631f8841ad
updating min-stack for Okta rule ( #3318 )
2023-12-12 12:27:18 -05:00
93d71acb91
[New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset ( #3265 )
...
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'
* updated non-ecs; linted rule; updated description
* adjusted interval and maxspan
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-12 10:31:45 -05:00
6f4c323929
[Rule Tuning] Windows DR Tuning - 6 ( #3246 )
...
* [Rule Tuning] Windows DR Tuning - 6
* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml
* Update defense_evasion_network_connection_from_windows_binary.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-12-12 11:37:54 -03:00
90a2043bc4
[FR] 8.12 Release Preparation update Main Branch to 8.13 ( #3313 )
...
* 8.12 Release Prep update Main Branch to 8.13
* Fix typo in integrations
* Updated Schemas
2023-12-11 14:58:06 -05:00
face95058f
[Bug] Use integration schemas for required_field types ( #3303 )
2023-12-11 11:32:38 -06:00
6c614eb102
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 ( #3288 )
...
* [Security Content] Add IGs to Persistence Rules
* Cleaned query
* IG description fix
* Added related rules
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-12-11 13:53:06 +01:00
10f00a3f88
Create new_meta.md ( #3305 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-12-08 14:39:02 -06:00
7514c0a206
[FR] Add Support for ES|QL Rule Type and Remote Validation ( #3281 )
...
* add suuport for esql type
* add unit tests
* set clients in RemoteConnector from auth methods
* thread remote rules; add engine test
* Add versions to remote validation results
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-08 12:46:28 -07:00
aeb1f91320
[Security Content] Introduce Investigate Plugin in Investigation Guides ( #3080 )
...
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-12-08 11:54:40 -07:00
eb7c5f6717
[Security Content] Add Windows Investigation Guides ( #3095 )
...
* [Security Content] Add Windows Investigation Guides
* Update defense_evasion_rundll32_no_arguments.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update rules/windows/defense_evasion_rundll32_no_arguments.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/execution_ms_office_written_file.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update privilege_escalation_posh_token_impersonation.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
2023-12-08 11:31:16 -03:00
840958d117
[New Rule] Suspicious File Creation via Kworker ( #3237 )
...
* [New Rule] Suspicious File Creation via Kworker
* Update rules/linux/persistence_kworker_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 23:02:00 +01:00
490fa0e1d2
[New Rule] Out-Of-Tree Kernel Module Load ( #3233 )
...
* [New Rule] Out-Of-Tree Kernel Module Load
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 22:53:21 +01:00
07b1cab919
[New BBR] Pot. Persistence Through Systemd-udevd ( #3235 )
...
* [New BBR] Persistence Through Systemd-udevd
* Formatting change
* Update rules_building_block/persistence_udev_rule_creation.toml
* Update rules_building_block/persistence_udev_rule_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_udev_rule_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 22:42:29 +01:00
9c61231dc6
[New Rule] UID Elevation from Unknown Executable ( #3239 )
...
* [New Rule] UID Elevation from Unknown Executable
* type change
* bump min stack
* Added additional exclusions
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 22:25:01 +01:00
1071b12f00
[New Rule] Suspicious Kworker UID Elevation ( #3238 )
...
* [New Rule] Suspicious Kworker UID Elevation
* Update privilege_escalation_kworker_uid_elevation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-12-07 20:59:07 +01:00
7070eb3b34
[New] Rare SMB Connection to the Internet ( #3300 )
...
* Create exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 13:10:20 -03:00
1647a16fab
[Rule Tuning] UEBA new_terms process_executable ( #3268 )
...
* [Rule Tuning] UEBA new_terms process_executable
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 16:38:08 +01:00
38862b89e9
[Tuning] Small Linux DR Tuning ( #3287 )
2023-12-07 12:45:24 +01:00
7488c60090
[New] Process Created with a Duplicated Token ( #3152 )
...
* [New] Process Created with a Duplicated Token
using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-12-07 08:20:30 -03:00
a4ad0b6a24
Fix syntax error in query ( #3285 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 07:49:18 -03:00
Jonhnathan