88f752bf8b
[New] First Time Seen NewCredentials Lgon Process ( #3276 )
...
* Create privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-11-27 18:37:15 +00:00
f53f46efd5
[Rule Tuning] Fix Menasec Expired Links ( #3271 )
2023-11-14 10:18:34 -03:00
a568c56bc1
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
2023-10-30 16:53:04 +05:30
1133b3a8a9
[Rule Tuning] Windows DR Tuning - 4 ( #3214 )
...
* [Rule Tuning] Windows DR Tuning - 4
* Update credential_access_remote_sam_secretsdump.toml
2023-10-26 20:58:49 -03:00
3d73427e29
[Rule Tuning] Windows DR Tuning - 3 ( #3212 )
...
* [Rule Tuning] Windows DR Tuning - 3
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_moving_registry_hive_via_smb.toml
2023-10-26 18:58:59 -03:00
efa7c428ea
[Rule Tuning] Windows DR Tuning - 2 ( #3209 )
...
* [Rule Tuning] Windows DR Tuning - 2
* Update rules/windows/credential_access_kerberoasting_unusual_process.toml
* Update credential_access_kerberoasting_unusual_process.toml
* Update command_and_control_teamviewer_remote_file_copy.toml
2023-10-26 18:10:31 -03:00
a5240e4063
[Rule Tuning] Windows DR Tuning - 1 ( #3198 )
...
* [Rule Tuning] Windows DR Tuning - 1
* Update collection_winrar_encryption.toml
2023-10-26 17:20:32 -03:00
6fcf26b20e
[Promote] Potential Masquerading as Communication Apps ( #3181 )
...
* [Promote] Potential Masquerading as Communication Apps
* Update defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_communication_apps.toml
* Update rules/windows/defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_communication_apps.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-10-23 14:56:03 -03:00
a471f6fc60
[Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver ( #3215 )
...
* [Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver
* Update privilege_escalation_installertakeover.toml
2023-10-23 14:34:36 -03:00
18ff85ce84
[Promote] Expired or Revoked Driver Loaded ( #3185 )
...
* [Promote] Expired or Revoked Driver Loaded
* Update privilege_escalation_expired_driver_loaded.toml
2023-10-23 11:44:37 -03:00
020fff3aea
[Rule Tuning] Linux Rules ( #3092 )
...
* [Rule Tuning] [WIP] Linux DR
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Fixed tag
* Added additional tuning
* unit test fix
* Additional tuning
* tuning
* added max signals
* Added max_signals=1 to brute force rules
* Cross-Platform Tuning
* Small fix
* new_terms conversion
* typo
* new_terms conversion
* Ransomware rule tuning
* performance tuning
* new_terms conversion for auditd_manager
* tune
* Need coffee
* kql/eql stuff
* formatting improvement
* new_terms sudo hijacking conversion
* exclusion
* Deprecations that were added last tuning
* Deprecations that were added last tuning
* Increased max timespan for brute force rules
* version bump
* added domain tag
* Two tunings
* More tuning
* Additional tuning
* updated_date bump
* query optimization
* Tuning
* Readded the exclusions for this one
* Changed int comparison
* Some tunings
* Update persistence_systemd_scheduled_timer_created.toml
* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml
* Update rules/linux/command_and_control_cat_network_activity.toml
* Update persistence_message_of_the_day_execution.toml
* Changed max_signals
* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"
This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.
* Revertable merge
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* File name change
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-23 16:28:58 +02:00
e4e68c2dd8
[Rule Tuning] Potential Masquerading as System32 DLL ( #3184 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-10-17 08:29:08 -03:00
24b0aa5c63
[Tuning] Adjusted Rules for Anti-Evasion ( #3163 )
...
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_incoming_wmi.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-16 17:56:09 +01:00
f584fb6e31
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
2023-10-15 18:12:20 -03:00
3f2a709370
[Rule Tuning] PowerShell Rules Tuning ( #3169 )
2023-10-11 17:57:32 -03:00
c2822e175c
[Tuning] Windows Execution Rule Tuning for UEBA ( #3107 )
...
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Mostly updated Execution tags, also new_terms conv
* removed index
* Removed index
* WMIPrvSE tuning
* Additional tuning
* Tuning & changes
* Additional tuning
* Applied unit test optimization
* Addressed feedback
* Update rules/windows/execution_command_shell_started_by_svchost.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* caseless unit testing fix
* fixed caseless executable unit test
* unit testing fix
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
* Added user ids to new terms
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/execution_unsigned_service_executable.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update execution_unsigned_service_executable.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-10-11 10:15:29 +02:00
4cdf52129a
[Tuning] Windows Discovery Rule Tuning for UEBA ( #3097 )
...
* [Tuning] Win DR Tuning for UEBA
* Need to get used to Windows formatting
* Added additional content
* Updated min stack
* Added additional tuning
* Fixed unit testing for KQL optimization
* Update rules_building_block/discovery_internet_capabilities.toml
* Additional tuning
* Kuery optimization
* Additional tuning
* Additional tuning
* Additional tuning
* Additional tuning
* Unit testing optimization fix
* optimization
* tuning
* Optimization
* Update rules/windows/discovery_privileged_localgroup_membership.toml
* Added feedback
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.id as additional new_terms field
* Reworked a lot.
* kibana.alert.rule.rule_id to non-ecs-schema.json
* Fixed index by adding a dot
* fixed typo
* Added host.os.type:windows for signals
* Added additional tag
* Added Higher-Order Rule tag
* Stripped down signal rules down to two
* revert
* Update rules/windows/discovery_admin_recon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_generic_registry_query.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update discovery_generic_registry_query.toml
* Readded exclusions
* Added trailing wildcards for KQL
* Update discovery_privileged_localgroup_membership.toml
* Update rules_building_block/discovery_signal_unusual_user_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Formatting fix
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-11 09:43:26 +02:00
8d2b730bc5
adjusting minimum stack version for version control ( #3154 )
2023-10-03 13:36:06 -04:00
ccfc931fbd
Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity ( #3091 )
...
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity
When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html
Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.
* simplified detection logic by utilising process.parent.args
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-13 13:51:07 -03:00
ddb1f75352
[New Rule] New BBR Rules - Part 2 ( #3029 )
...
* [New Rule] New BBR Rules - Part 2
* Update discovery_generic_account_groups.toml
* Update discovery_generic_account_groups.toml
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/execution_downloaded_shortcut_files.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/defense_evasion_unusual_process_extension.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update defense_evasion_unusual_process_extension.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-12 21:49:22 -03:00
af99186992
[New Rule] New BBR Rules - Part 3 ( #3034 )
...
* [New Rule] New BBR Rules - Part 3
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-09-12 21:28:01 -03:00
3614f42b00
[New Rule] New BBR Rules - Part 5 ( #3052 )
...
* [New Rule] New BBR Rules - Part 5
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Tag work
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-09-05 18:36:34 -03:00
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
fdd45148b8
[New Rule][BBR] WRITEDAC Access on Active Directory Object ( #3015 )
...
* [New Rule] WRITEDAC Access on Active Directory Object
* Update defense_evasion_write_dac_access.toml
* Fix Setup Instructions
* Update defense_evasion_write_dac_access.toml
* Update rules_building_block/defense_evasion_write_dac_access.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-31 12:59:02 -03:00
41a7a36817
Tune rule for new DLL written to Windows Servicing ( #3062 )
2023-08-30 13:51:23 -03:00
6d7df50d78
[New Rule] Suspicious WMI Event Subscription Created ( #1860 )
...
* Suspicious WMI Event Subscription Initial rule
* Use EQL sequence
* Update non-ecs-schema
* Update persistence_sysmon_wmi_event_subscription.toml
* update description
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* update query too look for even code 21 only
* update to case sensitive compare
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-29 16:42:19 -03:00
7004c99ef5
[New Rule] Unusual Process For MSSQL Service Accounts ( #3040 )
...
* [New Rule] Unusual Process For MSSQL Service Accounts
* Update initial_access_unusual_process_sql_accounts.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update collection_archive_data_zip_imageload.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
added "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-29 09:10:25 -03:00
22931d6afb
Update credential_access_lsass_openprocess_api.toml ( #3047 )
2023-08-28 16:22:08 +01:00
de32287889
[Rule Tuning] High Number of Process and/or Service Terminations ( #2940 )
2023-08-25 19:19:25 -03:00
2ddcf7817e
[Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing ( #3025 )
...
* adding tuning to ignore windows update
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-22 13:04:25 -04:00
0c3b251208
[Rule Tuning] PowerShell Keylogging Script ( #3023 )
2023-08-22 07:45:00 -03:00
5e801b2edf
[Tuning] Improve Performance ( #2953 )
...
* [Tuning] Improve Performance
Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.
Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)
* Update privilege_escalation_suspicious_dnshostname_update.toml
* ++
* ++
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-21 16:23:34 +01:00
72f15dda6a
[New Rule] PowerShell Kerberos Ticket Dump ( #2967 )
...
* [New Rule] PowerShell Kerberos Ticket Dump
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-20 17:29:16 -03:00
b5e011a892
[Rule Tuning] Privileges Elevation via Parent Process PID Spoofing ( #2873 )
...
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
* bump date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-17 13:52:26 -03:00
9144dc0448
[New Rule] Building Block Rules - Part 2 ( #2923 )
...
* [New Rule] Building Block Rules - Part 2
* .
* Update rules_building_block/defense_evasion_dll_hijack.toml
* Update rules_building_block/defense_evasion_file_permission_modification.toml
* Update rules_building_block/discovery_posh_password_policy.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-17 13:00:50 -03:00
96e50be5a6
[Rule Tuning] Potential Masquerading as Communication Apps ( #2997 )
...
* [Rule Tuning] Potential Masquerading as Communication Apps
* Update defense_evasion_masquerading_communication_apps.toml
* Update persistence_run_key_and_startup_broad.toml
* CI
* Revert "CI"
This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
2023-08-16 09:34:21 -03:00
f500cec497
fixing typo in 127.0.0.1 address ( #3004 )
2023-08-08 17:06:26 +02:00
1e769c51b6
Tune Unusual File Activity ADS for Teams weblogs ( #2929 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-31 10:41:31 -03:00
d0d99829a2
Correct misspelling of AppDara to AppData ( #2952 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 08:10:03 -03:00
5e714e01e6
[Security Content] Add Windows Investigation Guides ( #2825 )
...
* [Security Content] Add Windows Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Add IG Tag
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-19 08:07:01 -03:00
23a133121d
[Rule Tuning] Add HackTool Keywords to PowerShell Rules ( #2932 )
2023-07-18 08:55:59 -03:00
fca8bcc071
[Rule Tuning] PowerShell Rule Tunings ( #2907 )
...
* [Rule Tuning] PowerShell Rule Tunings
* bump
2023-07-14 15:41:36 -03:00
cd7a52f1b1
[Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release ( #2895 )
...
* forking rules with version collisions
* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
2023-07-06 10:39:20 -04:00
df0a1facd1
[WMI Incoming Lateral Movement] Modify Existing Query Exception ( #2843 )
...
* Tune WMI Incoming Lateral Movement
* Tune WMI Incoming Lateral Movement
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-03 17:12:05 -04:00
f78de8c9d4
Add MS Office exceptions to query ( #2836 )
...
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-03 16:09:17 -04:00
35ea2727dc
[Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades ( #2850 )
2023-06-30 18:01:35 -04:00
7aa8a7b5fb
[Rules Tuning] diverse tuning ( #2506 )
...
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_remote_services.toml
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_rdp_enabled_registry.toml
* Update persistence_scheduled_task_updated.toml
* Update persistence_scheduled_task_updated.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update rules/windows/persistence_scheduled_task_updated.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 18:57:00 +01:00
d5dddae0ef
[Rule Tuning] Suspicious PowerShell Engine ImageLoad ( #2721 )
...
* [Rule Tuning] Suspicious PowerShell Engine ImageLoad
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-06-30 10:56:13 -03:00
2a4749d3d0
[New Rule] New Term Rule for USB Devices ( #2644 )
...
* Create
* Update initial_access_first_time_seen_usb_name.toml
* Update rules/windows/initial_access_first_time_seen_usb_name.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/initial_access_first_time_seen_usb_name.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update initial_access_first_time_seen_usb_name.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-30 10:41:38 -03:00
a7e605a0e5
[Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 ( #2889 )
...
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823
* Add exception to unit test
* fixed linting
* proper linting fix
* updated to add to definitions.py
* fix linting
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2023-06-28 15:55:43 -03:00
Samirbous