8ca32f1423
Fix ClientError (NoneType) suffix
2020-11-09 11:08:36 -07:00
3b597bdb72
fix auth args in get_es_client
2020-10-30 09:19:50 -08:00
3827d01a65
fix bugs in es client retrieval
2020-10-29 21:20:49 -08:00
7da343e89f
Fix kibana upload command ( #425 )
2020-10-28 10:16:36 -06:00
a0a8d63baf
Merge branch '7.10' into main
2020-10-28 09:40:15 -06:00
580db2c13e
Add timeline_id to detection rules ( #95 )
...
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
e71398e2ad
[Bug] Fix Kibana client login to work with 7.10 ( #404 )
2020-10-26 22:25:48 -08:00
442b31bd2f
Update packages.yml
2020-10-26 12:07:34 -08:00
2065af89b1
[Rule Tuning] Tag Categorization Updates ( #380 )
...
* Add new categorization tags
* Change updated_date to 2020/10/26
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >, @bm11100
2020-10-26 13:50:45 -05:00
2e422f7159
[Rule Tuning] Minor Rule Tweaks for 7.10 ( #400 )
...
* Tweak Rules for 7.10
* Add endpoint index for packetbeat rules
* update unit test to account for Network tag as well
* update modified date, add endpoint tag
* use Host instead of Endpoint
* Update packaging.py
* add v back to changelog url
* Add "tag" comment to get_markdown_rule_info
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-10-22 09:07:04 -04:00
0a992d716a
[Rule Tuning] Update EQL rules for 7.10 ( #399 )
...
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
2020-10-21 12:35:18 -08:00
fd2d36573d
Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name ( #364 )
2020-10-20 15:22:02 -08:00
d3226c72c9
Add test for tactic in rule filename ( #398 )
2020-10-20 14:48:33 -08:00
60b3d47efd
Add kibana-upload --space option ( #251 )
...
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-10-08 12:21:54 -06:00
758e4a2c5b
Add unit tests for rule tags ( #359 )
2020-10-07 19:29:19 -08:00
bd680a2bd4
Re-organize commands under more specific click groups ( #356 )
...
* Restructure commands under more specific click groups
* standardize CLI error handling
* add global debug options
* move es and kibana clients into their click groups
* move commands and groups to dedicated files
* distinguish variable names for better env/config parsing
2020-10-07 12:15:33 -08:00
f34c96f4dc
[Rule Tuning][SECURITY_SOLUTION] rename Endpoint security ( #355 )
2020-10-05 09:55:15 -08:00
0b745c5492
[New Rule] Zoom Meeting with no Passcode ( #292 )
2020-09-30 21:44:45 -08:00
bf202b6b6c
[New Rule] Initial converted EQL rules ( #304 )
...
* 18 converted eql rules (not all prod)
2020-09-30 21:40:55 -08:00
2460333595
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays ( #351 )
2020-09-30 16:16:04 -08:00
d094c76534
[New Rule] Suspicious Zoom ChildProcess ( #245 )
2020-09-30 15:46:33 -08:00
5ba848552a
[New Rule] Post Exploitation Public IP Reconnaissance ( #270 )
2020-09-30 15:36:22 -08:00
e753162fe2
[New Rule] Detecting Unsecure Elasticsearch Nodes ( #109 )
2020-09-30 15:34:38 -08:00
1a260536d4
[New Rule] RAR and PowerShell Downloaded from the Internet ( #30 )
2020-09-30 15:32:44 -08:00
faeac00465
[New Rule] Possible FIN7 Command and Control Behavior ( #28 )
2020-09-30 15:26:13 -08:00
d68e4ac7f0
[New Rule] Hosts File Modified ( #25 )
2020-09-30 15:24:07 -08:00
1620559f1f
[New Rule] Halfbaked C2 Beacon ( #23 )
2020-09-30 15:21:33 -08:00
8caf897a73
[New Rule] Cobalt Strike Beacon ( #21 )
2020-09-30 14:58:24 -08:00
7c1e9c1ed5
Update package summary extras produced during package generation ( #341 )
...
* update summary.txt
* add summary.xlsx
* add changelog entry autogeneration
2020-09-30 14:43:45 -08:00
83fb9bdf93
[Rule Tuning] Update event.code to category ( #349 )
2020-09-30 14:34:58 -08:00
cbf465ba01
[New Rule] Kerberos dump using kcc command ( #139 )
...
* [New Rule] Kerberos dump using kcc command
* Delete .gitignore
* Delete vcs.xml
* Delete profiles_settings.xml
* Delete misc.xml
* Delete rules.iml
* Delete modules.xml
* Update credential_access_kerberosdump_kcc.toml
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_kerberosdump_kcc.toml
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-30 23:03:44 +02:00
a212008f8c
[Rule Tuning] Remove event.module from rules for compatibility with agent integrations ( #342 )
2020-09-30 09:41:33 -08:00
aecf355582
Refresh beats schema for validation to 7.9.2 ( #347 )
2020-09-30 09:35:13 -08:00
fa12340ff0
[Bug fix] Add missing parenthesis for -kibana-url
2020-09-30 09:32:43 -06:00
f15d179a50
[New Rule]- Credential Access - Domain DPAPI Backup key ( #125 )
...
* new rule - credential access
Domain Backup DPAPI Private Keys Access
* Update credential_access_domain_backup_dpapi_private_keys.toml
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Linted
* added an extra reference
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-29 21:14:07 +02:00
c6519a2474
[New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity ( #146 )
...
* [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity
Same rule will detect exploitation behavior of CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300
* Update privilege_escalation_printspooler_service_suspicious_file.toml
* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Added references and changed file name to extension as it was closed as bug issue by endpoint dev team
* Update privilege_escalation_printspooler_service_suspicious_file.toml
* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-29 21:11:43 +02:00
cccd91bc1a
[New Rule] - Persistence via Update Orchestrator Service Hijack ( #152 )
...
* [New Rule] - Persistence via Update Orchestrator Service Hijack
* Update persistence_via_update_orchestrator_service_hijack.toml
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-29 18:53:05 +02:00
3ec2d92b42
[New Rule] - Potential Secure File Deletion using SDelete utility ( #162 )
...
* [New Rule] - Potential Secure File Deletion using SDelete utility
* Update defense_evasion_sdelete_like_filename_rename.toml
* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update defense_evasion_sdelete_like_filename_rename.toml
* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* linted
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-29 18:46:29 +02:00
206d666e7e
[New Rule] Microsoft IIS Connection Strings Decryption ( #165 )
...
* [New Rule] Microsoft IIS Connection Strings Decryption"
* Update credential_access_iis_connectionstrings_dumping.toml
* Update credential_access_iis_connectionstrings_dumping.toml
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Linted
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-29 11:45:41 +02:00
a679207413
[New Rule] - Defense Evasion IIS HttpLogging Disabled ( #142 )
...
* [New Rule] - Defense Evasion II HttpLogging Disabled
* Update defense_evasion_iis_httplogging_disabled.toml
* Update defense_evasion_iis_httplogging_disabled.toml
* Update defense_evasion_iis_httplogging_disabled.toml
* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Linted
* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-29 11:39:04 +02:00
53484de986
[New Rule] - Creation of a new GPO Scheduled Task or Service ( #126 )
...
* [New Rule] - Creation of a new GPO Scheduled Task or Service
* Update lateral_movement_gpo_schtask_service_creation.toml
* Update lateral_movement_gpo_schtask_service_creation.toml
* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update lateral_movement_gpo_schtask_service_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-29 10:54:24 +02:00
269925ae2e
[New Rule] - MacOS Keychains compression ( #136 )
...
* macOS Keychains compression
* Update exfiltration_compress_credentials_keychains.toml
* Update exfiltration_compress_credentials_keychains.toml
* Update exfiltration_compress_credentials_keychains.toml
* Update rules/macos/exfiltration_compress_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/exfiltration_compress_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/exfiltration_compress_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update exfiltration_compress_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-29 10:23:43 +02:00
60adbbbb70
[New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created ( #148 )
...
* [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created
* Update privilege_escalation_printspooler_suspicious_spl_file.toml
* added ref and changed verb and replaced file.name with file.extension
* Update privilege_escalation_printspooler_suspicious_spl_file.toml
* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Linted and fixed tacttic to privesc
* Linted
* ref
* Update privilege_escalation_printspooler_suspicious_spl_file.toml
* Lint rule
* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-29 10:17:36 +02:00
fc3dcdf133
[New Rule] Unusual CommandShell Parent Process ( #202 )
...
* [New Rule] Suspicious CommandShell Parent Process
* toml linted
* Update execution_command_shell_started_by_unusual_process.toml
* Update execution_command_shell_started_by_unusual_process.toml
* Update execution_command_shell_started_by_unusual_process.toml
* Update execution_command_shell_started_by_unusual_process.toml
* Update execution_command_shell_started_by_unusual_process.toml
* Update rules/windows/execution_command_shell_started_by_unusual_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/execution_command_shell_started_by_unusual_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/execution_command_shell_started_by_unusual_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/execution_command_shell_started_by_unusual_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update execution_command_shell_started_by_unusual_process.toml
* Update execution_command_shell_started_by_unusual_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-28 23:15:26 +02:00
a7dee682cc
Add Tags to Unusual Sudo Activity Rule ( #340 )
...
* Update ml_linux_anomalous_sudo_activity.toml
added T1548
* Update ml_linux_anomalous_sudo_activity.toml
* Update ml_linux_anomalous_sudo_activity.toml
2020-09-28 16:07:41 -04:00
8a5e0dd441
[New Rule] AWS Management Console Attempted Root Login Brute Force ( #88 )
...
* Create initial_access_root_console_failure_brute_force.toml
* bumping threshold value to 10
* Update rules/aws/initial_access_root_console_failure_brute_force.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/aws/initial_access_root_console_failure_brute_force.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update initial_access_root_console_failure_brute_force.toml
* Update rules/aws/initial_access_root_console_failure_brute_force.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update initial_access_root_console_failure_brute_force.toml
* update with FP info
* update threshold field
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-28 13:37:22 -04:00
0affb48b07
[New Rule] Unusual User Calling the Metadata Service [Linux] ( #327 )
...
* Create ml_linux_anomalous_metadata_user.toml
rule create
* Update rules/ml/ml_linux_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_linux_anomalous_metadata_user.toml
* Update ml_linux_anomalous_metadata_user.toml
* Update rules/ml/ml_linux_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-28 12:13:06 -04:00
746c175669
[New Rule] Unusual User Calling the Metadata Service [Windows] ( #328 )
...
* Create ml_windows_anomalous_metadata_user.toml
* Update ml_windows_anomalous_metadata_user.toml
* Update rules/ml/ml_windows_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update ml_windows_anomalous_metadata_user.toml
* Update rules/ml/ml_windows_anomalous_metadata_user.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-28 12:09:14 -04:00
7857787328
[New Rule] Azure Global Administrator Role Addition to PIM User ( #336 )
...
* Create persistence_azure_pim_user_added_global_admin.toml
* tweak syntax for readability
* Update additional rule name to match others naming convention
* Delete defense_evasion_azure_diagnostic_settings_deletion.toml
* tweak rule name
* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update description and lint
* small naming tweak for consistency
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-28 10:45:59 -04:00
3c0d982d8f
[Rule Tuning] Mknod Process Activity ( #276 )
2020-09-24 13:27:16 -08:00
Ross Wolf