security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,834 Commits 1 Branch 0 Tags
724e34ba95ffb48d13e18a91c547800986164572
Commit Graph

40 Commits

Author SHA1 Message Date
Samirbous 07b952b7bc [Tuning] Remote Scheduled Task Creation (#3337) 
* Update non-ecs-schema.json
* add timestamp override

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-12-14 16:39:52 -07:00
Terrance DeJesus 93d71acb91 [New Rule] Adding Detection for Stolen Credentials Used to Login to Okta Account After MFA Reset (#3265) 
* adding new rule 'Stolen Credentials Used to Login to Okta Account After MFA Reset'

* updated non-ecs; linted rule; updated description

* adjusted interval and maxspan

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/integrations/okta/persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-12-12 10:31:45 -05:00
Ruben Groenewoud 4cdf52129a [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-10-11 09:43:26 +02:00
Jonhnathan af99186992 [New Rule] New BBR Rules - Part 3 (#3034) 
* [New Rule] New BBR Rules - Part 3

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-09-12 21:28:01 -03:00
Jonhnathan 6d7df50d78 [New Rule] Suspicious WMI Event Subscription Created (#1860) 
* Suspicious WMI Event Subscription Initial rule

* Use EQL sequence

* Update non-ecs-schema

* Update persistence_sysmon_wmi_event_subscription.toml

* update description

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* update query too look for even code 21 only

* update to case sensitive compare

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-08-29 16:42:19 -03:00
Jonhnathan 9144dc0448 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-08-17 13:00:50 -03:00
Ruben Groenewoud b330cf9438 [New Rule] Pspy Process Monitoring Detected (#2945) 
* [New Rule] Pspy Process Monitoring Detected

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_pspy_process_monitoring_detected.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 15:58:33 +02:00
Terrance DeJesus 73970eb2f2 [FR] Add Support for Multi-Fields and Validation in Rules (#2882) 2023-06-28 20:35:33 -04:00
Jonhnathan 90c79a8283 [Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules (#2777) 
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules

* .

* Update threat_intel_indicator_match_hash.toml

* Update to include expiring rules, exclude expiring indexes

* .

* Apply suggestions from code review

* Push changes

* Update pyproject.toml

* Revert "Update pyproject.toml"

This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.

* Update pyproject.toml

* Update integration-schemas.json.gz

* Revert "Update integration-schemas.json.gz"

This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.

* Revert integrations-manifests to the one from main

* Fix maturity

* Update Name

* Update ignore_ids with the indicator rules guid

* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml

* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml

* Make changes to use labels

* Update non-ecs-schema.json

* Update rules/cross-platform/threat_intel_fleet_integrations.toml

* Apply suggestions from code review

* Backport to 8.5

* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators

* Update threat_intel_indicator_match_hash.toml

* Update threat_intel_indicator_match_url.toml

* Update threat_intel_indicator_match_url.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-28 10:22:24 -03:00
Terrance DeJesus d5350ae6e0 [New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) (#2685) 
* adding initial rule

* changed new terms to host.id

* removed windows integration tag

* removed windows integration tag

* changed rule to be process started related

* rule linted

* updating description

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

* added process.name.caseless to non-ecs.json

* removed host type related to #2761

* added host.os.type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-02 23:09:17 -04:00
Terrance DeJesus d6f277e379 [New Rule] Google Workspace New OAuth Login from Third-Party Application (#2677) 
* adding new rule 'Google Workspace New OAuth Login from Custom Application'

* changed name and 'custom' to 'third-party'

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

* Update rules/integrations/google_workspace/defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml

* updated non-ecs
 2023-04-12 09:40:31 -04:00
Terrance DeJesus 4511ab0666 [Rule Tuning] Add Sequence for OAuth Authorization to Custom App - Google Workspace (#2674) 
* tuning rule to add token sequence

* updated date

* updated non-ecs, integration schemas and manifests

* added investigation guide

* Updating note

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updating note

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* updated false positive description

* updating manifest and schemas with main to resolve conflicts

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-04-12 09:15:58 -04:00
Samirbous 51d50b7d8a [New Rule] Lsass Process Access - Generic (#2613) 
* Create credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update credential_access_lsass_openprocess_api.toml

* Update non-ecs-schema.json

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_openprocess_api.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update credential_access_lsass_openprocess_api.toml

* Update non-ecs-schema.json

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-04-03 14:34:30 +01:00
Terrance DeJesus 76500f0d46 [New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User (#2654) 
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'

* updated MITRE ATT&CK mappings
 2023-03-24 12:21:56 -04:00
Terrance DeJesus 7be5788945 [New Rule] Google Workspace Resource Copied from External Drive (#2627) 
* added new rule 'Google Workspace Resource Copied from External Drive'

* adjusted mitre att&ck subtechnique ID
 2023-03-20 14:37:58 -04:00
Mika Ayenson 51b7df8613 Check integrations cross major versions for older release support (#2520) 2023-02-02 18:17:02 -05:00
Samirbous b8dcc6ab4b [New Rules] C2 via BITS and CertReq (#2466) 
* Create command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_certreq_postdata.toml

* Create command_and_control_ingress_transfer_bits.toml

* Update non-ecs-schema.json

* Update command_and_control_certreq_postdata.toml

* Update command_and_control_ingress_transfer_bits.toml

* Update rules/windows/command_and_control_certreq_postdata.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-01-27 20:17:36 +00:00
Samirbous 1c6e5a3448 [New Rule] Suspicious Inter-Process Communication via Outlook (#2458) 
* Create collection_email_outlook_mailbox_via_com.toml

* Update non-ecs-schema.json

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/collection_email_outlook_mailbox_via_com.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:44:32 +00:00
Samirbous 1a5e64ce13 [New Rule] T1543.003 - Unsigned DLL Loaded by Svchost (#2477) 
* Create persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

* Update persistence_service_dll_unsigned.toml

* Update rules/windows/persistence_service_dll_unsigned.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update detection_rules/etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update persistence_service_dll_unsigned.toml

* Update persistence_service_dll_unsigned.toml

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 17:11:38 +00:00
Samirbous bcd8ef15ba [New Rule] Unsigned DLL Side-Loading from a Suspicious Folder (#2409) 
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update non-ecs-schema.json

* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml

* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-01-25 13:23:20 +00:00
Jonhnathan 9f6a54e645 [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2423) 
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update non-ecs-schema.json

* Remove duplicated value on non-ecs-schema.json

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-12-16 16:05:18 -03:00
Jonhnathan a7caa4baf3 [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host (#2399) 
* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host

* Update definitions.py

* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-11-18 17:38:27 -03:00
Samirbous b1ddfb11d4 [New Rule] Windows Services - winlog (#2280) 
* [New Rule] Windows Services - winlog

https://github.com/elastic/detection-rules/issues/2164 (T1543.003 - Windows Service)

- remote windows service (4624,4697)
- suspicious windows service imagepath (7045, 4697) : cmd, powershell etc.

* added winlog.logon.type (keyword)

* Update non-ecs-schema.json

* Update persistence_service_windows_service_winlog.toml

* Update non-ecs-schema.json

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-11-16 10:08:02 +00:00
Samirbous b0156181e7 [New Rules] T1134 Access Token Manipulation (#2373) 
* New Rules] T1134 Access Token Manipulation

3 rules (2 compatible only with Elastic endpoint) and 1 generic one using winlogs.

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* fix ruleid

* Update privilege_escalation_via_token_theft.toml

* timestamp_override = "event.ingested"

* Update non-ecs-schema.json

* linted

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update non-ecs-schema.json

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-11-15 19:50:47 +00:00
Samirbous 0bf7dd15a5 [New Rules] CredAccess via LDAP Attributes (#2391) 
* Create credential_access_ldap_attributes.toml

* Create privilege_escalation_credroaming_ldap.toml

* Update non-ecs-schema.json

* Update privilege_escalation_credroaming_ldap.toml

just deleted the extra 'to'

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2022-11-15 15:55:01 +00:00
Isai 78d6093176 [New Rule] Kubernetes Container Created with Excessive Linux Capabilites (#2313) 
* [New Rule] Kubernetes Container Created with Excessive Linux Capabilites

This rule detects a container deployed with one or more dangerously permissive Linux capabilities. Using the Linux capabilities feature you can grant certain privileges to a process without granting all the privileges of the root user. Added capabilities entitle containers in a pod with additional privileges that can be used to change core processes and networking settings of a cluster. An attacker with the ability to deploy a container with added capabilities could use this for further execution, lateral movement, or privilege escalation within a cluster or the host machine. This rule detects the following capabilities and leaves space for the exception of trusted permissive containers specific to your environment:

BPF - Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more.

DAC_READ_SEARCH - Bypass file read permission checks and directory read and execute permission checks.

NET_ADMIN - Perform various network-related operations.

SYS_ADMIN - Perform a range of system administration operations.

SYS_BOOT - Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.

SYS_MODULE - Load and unload kernel modules.

SYS_PTRACE - Trace arbitrary processes using ptrace(2).

SYS_RAWIO - Perform I/O port operations (iopl(2) and ioperm(2)).

SYSLOG - Perform privileged syslog(2) operations.

* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml

Edited description, false positives, and elaborated with a partial investigation guide.

* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml

added exception to rule query

* Update privilege_escalation_container_created_with_excessive_linux_capabilities.toml

add Execution.Deploy Container Tactic.Technique
 2022-10-04 17:28:03 -04:00
Isai 701c8a0e22 Rule Changes (#2337) 
K8s Rule Changes
 2022-10-04 16:56:45 -04:00
Mika Ayenson ca0e4ac72a [Bug] Remove duplicate key in non-ecs-schema (#2319) 2022-09-21 18:03:08 -04:00
Samirbous acdfe5ddab [New Rule] Process Creation via Secondary Logon (#2282) 
* [New Rule] Process Creation via Secondary Logon

https://github.com/elastic/detection-rules/issues/2164

Create process using alternate creds (i.g. runas) :

* Update privilege_escalation_create_process_as_different_user.toml

* Update privilege_escalation_create_process_as_different_user.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 13:04:08 -05:00
Isai 963d01ba89 [New Rule] Kubernetes Suspicious Assignment of Controller Service Account (#2298) 
* [New Rule] Kubernetes Suspicious Assignment of Controller Service Account

Issues
--
#2034

Summary
--
This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.

* Update privilege_escalation_suspicious_assignment_of_controller_service_account.toml

updated query after testing

* Update non-ecs-schema.json

added new field used in query update

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-09-19 13:35:37 -04:00
Isai a9364beef9 [New Rule] Kubernetes Denied Service Account Request (#2299) 
* [New Rule] Kubernetes Denied Service Account Request

## Issue
#2040

## Summary
This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.

* Update discovery_denied_service_account_request.toml

updated the query after testing to reduce false positives

* Update rules/integrations/kubernetes/discovery_denied_service_account_request.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-09-19 13:22:20 -04:00
Samirbous 99dcfe2055 [New Rule] Multiple Vault Web credentials were read (#2281) 
* [New Rule] Multiple Vault Web credentials were read

https://github.com/elastic/detection-rules/issues/2164

* Update credential_access_saved_creds_vault_winlog.toml

* Update non-ecs-schema.json

* Update rules/windows/credential_access_saved_creds_vault_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 19:07:05 +02:00
Samirbous 4609a5e8fe [New Rule] Scheduled Task Creation using winlog (#2277) 
* [New Rule] Scheduled Task Creation using winlog

https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)

- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* toml-lint

* remote task

* Update non-ecs-schema.json

* waaaaaaaaaaaaaa

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update lateral_movement_remote_task_creation_winlog.toml

* event.ingested

* Update lateral_movement_remote_task_creation_winlog.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update defense_evasion_persistence_temp_scheduled_task.toml

* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 18:50:45 +02:00
Samirbous fc8ec668b1 [New Rule] Brute Force Detection - Windows (#2275) 
* [New Rule] Brute Force Detection - Windows

https://github.com/elastic/detection-rules/issues/2164 (T1110 - Brute Force)

- multiple logon failure from same source address in 10s maxspan
- 5 logon failure followed by success from same source address in 5s maxspan

* non ecs

* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

* fix error

* added bruteforce admin account and linted tomls

* Update credential_access_bruteforce_admin_account.toml

* Update rules/windows/credential_access_bruteforce_admin_account.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* related_rules

* 4625_errorcode_notes

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-09-19 18:43:28 +02:00
Samirbous b15f0de9a4 [Rules Tuning] Diverse Windows Rules - FPs reduction (#2213) 
* [Rules Tuning] 7 diverse Windows rules

Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata.

* Update initial_access_suspicious_ms_exchange_process.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update execution_psexec_lateral_movement_command.toml

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update persistence_remote_password_reset.toml

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml
 2022-08-02 18:37:07 +02:00
Isai c1486407aa [New Rule] Kubernetes Pod Created with Sensitive hostPath Volume (#2094) 
* [New Rule] Kubernetes Pod Created with Sensitive hostPath Volume

created new rule toml and updated non-ecs-schema with k8s fields

* Update rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2022-07-28 13:09:26 -04:00
Samirbous d312f49117 [New Rule] Suspicious HTML File Creation (#2068) 
* [New Rule] Suspicious HTML File Creation

* Update initial_access_evasion_suspicious_htm_file_creation.toml

* Update non-ecs-schema.json

* Update initial_access_evasion_suspicious_htm_file_creation.toml

* Update rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-07-22 16:21:53 +02:00
Isai 63fda01fdd [New Rule] Kubernetes execution_user_exec_to_pod (#1979) 
* Create execution_user_exec_to_pod.toml

* Update execution_user_exec_to_pod.toml

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

* Update non-ecs-schema.json

* Update execution_user_exec_to_pod.toml

* Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_user_exec_to_pod.toml

* Update execution_user_exec_to_pod.toml

* Update execution_user_exec_to_pod.toml

* toml-linted file and add to false positive

toml-linted the file and added to the false positive description

* Create notepad.sct

Added this back into the repo, deleted by mistake.

* added min_stack_version based on integration

min stack version determined by integration support of necessary fields

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2022-06-09 17:52:45 -04:00
Samirbous 19ff825a91 [New rule] Remote Computer Account DnsHostName Update (#1962) 
* [New rule] Remote Computer Account DnsHostName Update

Identifies remote update to a computer account DnsHostName attribute, if the new value is set a valid domain controller DNS hostname and the subject computer name is not a domain controller then it's high likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges :

* added MS ref url

* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-05-11 19:40:34 +02:00
Mika Ayenson 6219fc06b9 Move etc under detection_rules (#1885) 
* Move etc directory under detection_rules
* Prepend original `etc` path with `detection_rules`
* Update docstrings in util and CODEOWNERS
* Add resiliency to tags to account for the old directory structure
* Bug fix: remove unused param caused by commit 6ed1a39efe

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-05-02 10:11:21 -04:00