8de268449855d99d0431cdd01dd5e35ea88e68ab
3 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 Ruben Groenewoud
|
8de2684498 |
[Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868)
* [Investigation Guide] 10 new Linux IG's 8.9 * Added 4 more IG tags * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_account_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_added_to_privileged_group.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * implemented feedback --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> |
||
|
Jonhnathan
|
b4c84e8a40 |
[Security Content] Tags Reform (#2725)
* Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> |
||
|
Ruben Groenewoud
|
09719dd0c5 |
[Rule Tuning] Potential Shell via Web Server (#2585)
* tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> |