85b72256c2
[New Rule] Potential Shadow Credentials added to AD Object ( #1729 )
...
* Potential Shadow Credentials added to AD Object Initial Rule
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_shadow_credentials.toml
* Add AD tag
* Update credential_access_shadow_credentials.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-04 15:49:04 -03:00
7dac52f1cf
[New Rule] PowerShell Script Block Logging Disabled ( #1749 )
...
* PowerShell Script Block Logging Disabled
* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_disable_posh_scriptblocklogging.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-04 15:44:27 -03:00
40095d95bf
Update credential_access_mod_wdigest_security_provider.toml ( #1751 )
2022-02-04 15:38:12 -03:00
9ce5d0b92a
[New Rule] AdminSDHolder Backdoor ( #1745 )
...
* AdminSDHolder Backdoor
* Update rules/windows/persistence_ad_adminsdholder.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-01 10:14:39 -03:00
d949fefe0c
[New Rule] KRBTGT Delegation Backdoor ( #1743 )
...
* KRBTGT Delegation Backdoor
* Update persistence_msds_alloweddelegateto_krbtgt.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* refresh rule_id with new uuid
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-01 10:08:54 -03:00
2828633919
[Bug] Fix AttributeError in RuleCollection dupe check ( #1747 )
2022-01-31 15:57:46 -09:00
26d5bad914
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #1741 )
...
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml
* fix year
2022-01-31 21:02:02 -03:00
6e3f4b2824
[New Rule] Kerberos Preauthentication Disabled for User ( #1717 )
...
* Initial "Kerberos Preauthentication Disabled for User" Rule
* Update credential_access_disable_kerberos_preauth.toml
* Update credential_access_disable_kerberos_preauth.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Add config directives
* Update rules/windows/credential_access_disable_kerberos_preauth.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-31 12:31:20 -03:00
25ec71579d
[New Rule] SeEnableDelegationPrivilege assigned to User ( #1737 )
...
* SeEnableDelegationPrivilege assigned to User
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix logging policy name
* Update rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* lint
* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-31 12:22:54 -03:00
72c64de3f5
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-28 10:41:22 -09:00
87c7210aab
[Rule Tuning] Change default time query for rounding days ( #1713 )
...
* Change default time query for rounding days
* Udpate date
* Revert rule updated_data
* Restore threat_query
2022-01-28 10:34:14 -09:00
edd0df5e1a
[New Rule] PowerShell Kerberos Ticket Request ( #1715 )
...
* PowerShell Kerberos Ticket Request Initial Rule
* bump date
2022-01-27 16:36:02 -03:00
189c2b152c
[New Rule] Email Reported by User as Malware or Phish ( #1699 )
...
* Email Reported by User as Malware or Phish Initial Rule
* Update initial_access_o365_user_reported_phish_malware.toml
* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-27 16:30:46 -03:00
b6cbdbd416
[New Rule] MS Office Macro Security Registry Modifications ( #1696 )
...
* "MS Office Macro Security Registry Modifications" Initial Rule
* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-27 16:24:41 -03:00
f7bc13b437
[New Rule] OneDrive Malware File Upload ( #1693 )
...
* "OneDrive Malware File Upload" Initial Rule
* bump severity
2022-01-27 16:19:16 -03:00
1676844640
[New Rule] SharePoint Malware File Upload ( #1691 )
...
* "SharePoint Malware File Upload" Initial Rule
* s/onedrive/sharepoint
* bump severity
2022-01-27 16:12:17 -03:00
26fb8e83a5
[New Rule] Potential Privileged Escalation via SamAccountName Spoofing ( #1660 )
...
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac
EQL
```
iam where event.action == "renamed-user-account" and
/* machine account name renamed to user like account name */
winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```
* Create privilege_escalation_samaccountname_spoofing_attack.toml
* Update non-ecs-schema.json
* extra ref
* toml linted
* ref for MS kb5008102
* more ref
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-27 15:46:27 +01:00
14252d45ee
[New Rule] Global Administrator Role Assigned ( #1686 )
...
* Initial Global Administrator Role Assigned Rules
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-27 09:53:02 -03:00
7e4325dd7a
Create credential_access_mfa_push_brute_force.toml ( #1682 )
2022-01-27 09:37:49 -03:00
38ae64f729
[Rule Tuning] GCP Kubernetes Rolebindings Created or Patched ( #1718 )
...
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-27 09:31:51 -03:00
1699f50beb
Update credential_access_suspicious_lsass_access_memdump.toml ( #1714 )
2022-01-27 09:28:16 -03:00
4ac824192f
Update source.ip condition ( #1712 )
2022-01-27 09:24:55 -03:00
0a23d820c9
[Rule Tuning] Fix event.outcome condition on O365 failed logon related rules ( #1687 )
...
* Tune rule query
* Update credential_access_microsoft_365_potential_password_spraying_attack.toml
* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"
This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
2022-01-27 09:22:42 -03:00
50c7d5f262
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #1683 )
...
* Inbox Rule Tuning
* Add RedirectTo
* Update non-ecs-schema.json
2022-01-27 09:20:49 -03:00
fdeb8cb1de
[Rule Tuning] Azure Virtual Network Device Modified or Deleted ( #1679 )
...
* Update impact_virtual_network_device_modified.toml
* Change case
2022-01-27 09:15:22 -03:00
b9edc5464e
[New Rule] Potential Privilege Escalation via PKEXEC ( #1727 )
...
* [New Rule] Potential Privilege Escalation via PKEXEC
Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :
* Update privilege_escalation_pkexec_envar_hijack.toml
* removed = sign
2022-01-27 10:41:40 +01:00
1f216d12aa
Autogenerate docs for integration package releases ( #1567 )
...
* Autogenerate docs for integration package releases
* add parameter to bypass query validation in git loader
* strip space and - from normalized name
2022-01-26 21:19:03 -09:00
e26374cb40
Update base branch in integrations-pr command ( #1733 )
2022-01-26 20:52:24 -09:00
30f5d62bf5
Update tests to account for non-backported deprecations ( #1735 )
...
* Update tests to account for non-backported deprecations
* remove comment spacing
2022-01-26 20:40:15 -09:00
179ebb5bdb
Add pyproject.toml and setup.cfg ( #1672 )
...
* add pyproject.toml
* add setup.cfg
2022-01-26 14:13:49 -09:00
e42fee2d84
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0 ( #1732 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-01-26 13:54:18 -09:00
84d55c829d
Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )" ( #1731 )
...
This reverts commit 625d1df2bf
2022-01-26 11:41:12 -09:00
f7d93e20d4
fix bug in yaml parsing for github workflows ( #1725 )
...
* fix bug in yaml parsing for github workflows
* fix kibana version
2022-01-25 18:56:29 -09:00
2e78da5c9a
Prepare for creation of 8.1 branch ( #1700 )
2022-01-25 18:11:59 -09:00
b6d1c1476b
[Rule Tuning] Update Google Workspace rules to remove compatibility with deprecated gsuite integration ( #1706 )
...
* Adjust queries and min_stack_version
* Update reference to the filebeat module
* adjust min_stack_version
2022-01-25 16:51:20 -09:00
9c43151da4
[Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match ( #1703 )
2022-01-25 16:46:49 -09:00
d753ecb8d8
Add pattern for "name" in rule schema ( #1669 )
2022-01-25 12:03:27 -09:00
b564fa13fb
MacOS FolderActionScripts Process List Update ( #1723 )
...
* update and expand process list
* fix query
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-25 14:27:27 -06:00
cfd4d431dd
MacOS Launch Daemon Creation Rule - Query Fix ( #1722 )
...
* launch daemon creation syntax fix
* change updated date
2022-01-25 12:47:51 -06:00
95e3b87faf
[New Rule] Startup/Logon Script added to Group Policy Object ( #1607 )
...
* "Startup/Logon Script added to Group Policy Object" Initial Rule
* Change severity
* nest non-ecs schema and move logs-system to winlogbeat
* format query and remove quotes
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add rule_ids and false_positives instance
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-01-20 09:11:23 -03:00
49854aaae2
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules ( #1610 )
...
* Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script
* Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule
* Add Investigation Guide and Config to "PowerShell MiniDump Script" rule
* Add logging policy reference
* Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities"
* Add Related Rules GUIDs
* Add Investigation Guide/config for "Potential Process Injection via PowerShell"
* Adjust Response and remediation
* Add Investigation Guide/config for "PowerShell Keylogging Script"
* bump updated_date
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions
* Revise line from investigation guides
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-01-20 08:56:53 -03:00
7fa0c0f719
[New Rule] Potential Priivilege Escalation via InstallerFileTakeOver ( #1629 )
...
* Create privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update description and change OFN from : to ==
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-20 08:53:58 -03:00
625d1df2bf
[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )
...
* Update execution_python_tty_shell.toml
* Update EQL query to sequence
* Remove auditbeat index
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-20 08:50:30 -03:00
96ada9e223
[New Rule] Azure Suppression Rule Created ( #1666 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Moved to correct directory.
* Suppression Rule Created
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-20 08:46:24 -03:00
d7116485f3
[New Rule] Group Policy Abuse for Privilege Addition ( #1603 )
...
* "Group Policy Abuse for Privilege Addition" Initial Rule
* Update privilege_escalation_group_policy_privileged_groups.toml
* Add related rules
* fix missing comma
* Update non-ecs-schema.json
* Remove duplicated entries
* update note with code format
* Update rules/windows/privilege_escalation_group_policy_privileged_groups.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-01-20 08:40:52 -03:00
101b781bef
[Rule Tuning] O365 Excessive Single Sign-On Logon Errors ( #1680 )
...
* Change event.category to authentication
The original had the event.category as "web" the correct value is "authentication"
* Changed updated_date to todays date
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-20 08:32:30 -03:00
865771886e
[New Rule] Scheduled Task Execution at Scale via GPO ( #1605 )
...
* "Scheduled Task Execution at Scale via GPO" Initial Rule
* Update non-ecs-schema.json
2022-01-19 16:06:48 -09:00
7bbeaf3053
[New Rule] PowerShell PSReflect Script ( #1558 )
2022-01-19 15:31:08 -09:00
6a0164cbd3
[Rule Tuning] Connection to Commonly Abused Web Services ( #1708 )
...
Added Discord domains often abused to stage malicious files.
2022-01-17 14:52:26 -03:00
fd824d1fd5
[New Rule] Microsoft Defender Tampering ( #1575 )
...
* Create defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-01-13 19:50:01 -03:00
Jonhnathan