8eea11e6ab
[New Rule & Tuning] (Ana)Cron & At Job Creation ( #3726 )
...
* [New Rule & Tuning] (Ana)Cron & At Job Creation
* Update persistence_at_job_creation.toml
* Update persistence_cron_job_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_at_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 81ee6380ec
2024-06-05 07:56:52 +00:00
06660cb2e1
Refresh MITRE Attack v15.1.0 ( #3725 )
...
(cherry picked from commit e357a2c050
2024-06-04 14:48:18 +00:00
0295db4b6b
[New Rule & Tunings] Linux Springtail Backdoor ( #3692 )
...
* [New Rules and Tuning] Springtail backdoor
* consistency formatting
* update
* unit testing formatting change
* Update persistence_systemd_service_started.toml
* Update persistence_systemd_service_started.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
(cherry picked from commit 390629da4e
2024-05-24 08:13:21 +00:00
18fcd83683
Back-porting Version Trimming ( #3704 )
...
(cherry picked from commit 63e91c2f12
2024-05-22 19:18:10 +00:00
e7959e88b9
[Bug] Fix test_os_and_platform_in_query test and rules ( #3695 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit ce21acef9c
2024-05-20 15:51:28 +00:00
d3faf0d0d6
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit e29994c338
2024-04-30 11:48:38 +00:00
f7215a7ced
[Rule Tuning] Linux DRs ( #3628 )
...
(cherry picked from commit 115c3a6dfd
2024-04-30 11:33:56 +00:00
a6ea41cae0
Add filebeat-* index pattern to rules based on system.auth dataset ( #3561 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 153657029b
2024-04-03 09:36:00 +00:00
de3db7007a
[New] Potential Execution via XZBackdoor ( #3555 )
...
* [New] Potential Execution via XZBackdoor
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_ssh_execution_xzbackdoor.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f2490007e8
2024-04-02 04:22:46 +00:00
f0a06bc56b
[Rule Tuning] Potential Reverse Shell via UDP ( #3508 )
...
(cherry picked from commit a6028b43b3
2024-03-21 12:56:41 +00:00
4fec1a766e
[New Rules] mprotect() RWX Binary Execution ( #3507 )
...
* [New Rules] mprotect() RWX Binary Execution
* Added rule names
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
* Update execution_netcon_from_rwx_mem_region_binary.toml
(cherry picked from commit 4179180fcb
2024-03-13 21:18:29 +00:00
11168606d5
[Tuning] event.action and event.type change ( #3495 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9f8638a004
2024-03-13 09:16:45 +00:00
9101dfc064
[Security Content] Small tweaks on the setup guides ( #3308 )
...
* [Security Content] Small tweaks on the setup guides
* Additional Fixes
* Avoid touching deprecated rules
(cherry picked from commit 458e67918a
2024-03-11 12:15:22 +00:00
28220d0ccd
[Tuning] Linux DR Tuning - Part 12 ( #3464 )
...
* [Tuning] Linux DR Tuning - Part 12
* Update persistence_shared_object_creation.toml
* Update privilege_escalation_dac_permissions.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Min stack rule-bending test
* formatting fix
* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"
This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Revert "Min stack rule-bending test"
This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 9c4ba4559d
2024-03-07 17:15:18 +00:00
124e8c836c
[Tuning] Linux DR Tuning - Part 14 ( #3467 )
...
* [Tuning] Linux DR Tuning - Part 14
* Update privilege_escalation_sudo_cve_2019_14287.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ed4a7fc15b
2024-03-07 15:51:17 +00:00
dfaed78e75
[Tuning] Linux DR Tuning - Part 13 ( #3465 )
...
* [Tuning] Linux DR Tuning - Part 13
* updated date bump
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update privilege_escalation_netcon_via_sudo_binary.toml
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update rules/linux/privilege_escalation_shadow_file_read.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 60fda8d756
2024-03-07 15:33:51 +00:00
09fe63d18f
[Tuning] Linux DR Tuning - Part 11 ( #3463 )
...
* [Tuning] Linux DR Tuning - Part 11
* Update persistence_message_of_the_day_creation.toml
* Update persistence_message_of_the_day_execution.toml
* Update rules/linux/persistence_message_of_the_day_execution.toml
* Update persistence_linux_user_added_to_privileged_group.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ef66c57030
2024-03-07 11:26:39 +00:00
68cfb3dfde
[Tuning] Linux DR Tuning - Part 10 ( #3462 )
...
* [Tuning] Linux DR Tuning - Part 10
* updated_date bump
* Update persistence_kworker_file_creation.toml
* Update persistence_linux_backdoor_user_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a76a3755d9
2024-03-07 10:50:21 +00:00
6141bc3dd7
[Tuning] Linux DR Tuning - Part 9 ( #3461 )
...
* [Tuning] Linux DR Tuning - Part 9
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update lateral_movement_ssh_it_worm_download.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit fd84573212
2024-03-07 10:39:28 +00:00
f209923155
[Tuning] Linux DR Tuning - Part 8 ( #3460 )
...
* [Tuning] Linux DR Tuning - Part 8
* Update impact_esxi_process_kill.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 08f946b394
2024-03-07 10:06:27 +00:00
e44b8a7768
[Tuning] Linux DR Tuning - Part 7 ( #3458 )
...
* [Tuning] Linux DR Tuning - Part 7
* Update execution_potential_hack_tool_executed.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit c537fb9c22
2024-03-07 09:52:07 +00:00
472ca216d3
[Tuning] Linux DR Tuning - Part 6 ( #3457 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_ping_sweep_detected.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit f37a3bfd48
2024-03-07 09:14:25 +00:00
d28bd2abef
[Tuning] Linux DR Tuning - Part 5 ( #3456 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_dynamic_linker_via_od.toml
* Update discovery_esxi_software_via_find.toml
* Update discovery_esxi_software_via_grep.toml
* Update discovery_linux_hping_activity.toml
* Update discovery_linux_nping_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ae3f4737ab
2024-03-07 08:59:38 +00:00
2f18b54ac8
[Tuning] Auditbeat event.action Compatibility ( #3471 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 83abf8d42c
2024-03-06 14:34:12 +00:00
e6db511ac7
[BBR Promotion] Linux BBR --> DR Promotion ( #3472 )
...
* [BBR Promotion] Linux BBR --> DR Promotion
* [BBR Promotion] Linux BBR --> DR Promotion
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 5a80423003
2024-03-06 13:55:08 +00:00
7adff8ebd2
[Tuning] Linux DR Tuning - Part 4 ( #3455 )
...
* [Tuning] Linux DR Tuning - Part 4
* Update defense_evasion_file_mod_writable_dir.toml
* Update defense_evasion_hidden_file_dir_tmp.toml
(cherry picked from commit 089e6671aa
2024-02-20 14:44:07 +00:00
24eea0e1e5
[Tuning] Event.dataset removal & Tag Addition ( #3451 )
...
* [Tuning] Removed event.dataset and added tag
* [Tuning] Removed event.dataset and added tag
* fixed typo
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 3484cac7eb
2024-02-20 14:23:44 +00:00
5af7ec1a4b
[Tuning] Linux DR Tuning - Part 3 ( #3454 )
...
(cherry picked from commit 5e6e4a359b
2024-02-20 13:56:14 +00:00
d09d0b0609
[Tuning] Linux DR Tuning - Part 1 ( #3452 )
...
* [Tuning] Linux DR Tuning - Part 1
* Update command_and_control_linux_tunneling_and_port_forwarding.toml
* Update command_and_control_cat_network_activity.toml
(cherry picked from commit 1dc7fd6a42
2024-02-20 13:44:07 +00:00
5b8b6c4450
[Tuning] Linux DR Tuning - Part 2 ( #3453 )
...
* [Tuning] Linux DR Tuning - Part 2
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
(cherry picked from commit 0e48747aa6
2024-02-20 13:22:50 +00:00
e037d57c82
[New Rules] DDExec Analysis ( #3408 )
...
* [New Rules] DDExec Analysis
* Increased rule scope
* [New Rule] Dynamic Linker Discovery via od
* Revert "[New Rule] Dynamic Linker Discovery via od"
This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.
* [New Rule] Dynamic Linker Discovery via od
* [New Rule] Potential Memory Seeking Activity
* [New BBR] Suspicious Memory grep Activity
* Added endgame + auditd_manager support
* Removed auditd_manager support for now
* Removed auditd_manager support for now
* Update discovery_suspicious_memory_grep_activity.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit d41855a2ac
2024-02-06 13:53:27 +00:00
27b01ac788
[New Rule] Executable Masquerading as Kernel Process ( #3421 )
...
* [New Rule] Executable Masquerading as Kernel Proc
* Bumped dates
* Added endgame support
* Added auditd_manager support
* Removed auditd_manager support for now
(cherry picked from commit 90d64f0714
2024-02-06 09:54:53 +00:00
35dd5ad3c6
[New Rules] APT Package Manager Persistence ( #3418 )
...
* [New Rule] apt Package Manager Persistence
* [New Rules] APT Package Manager Persistence
* [New Rules] APT Package Manager Persistence
(cherry picked from commit 208b2e999c
2024-02-06 09:34:38 +00:00
8d3eed8d4d
[New Rule] Suspicious Network Connection via systemd ( #3420 )
...
* [New Rule] Network Connection via systemd
* Removed space from description
* Added updated query
(cherry picked from commit 4f303ab77e
2024-02-06 09:25:09 +00:00
bad1eff29b
[New Rule] Suspicious Passwd File Event Action ( #3396 )
...
* [New Rule] Suspicious Passwd File Event Action
* Description fix
* Pot. UT fix
* Pot. UT fix.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 381ccf43ed
2024-01-26 08:42:09 +00:00
cdbf64d360
[New Rule] Potential Buffer Overflow Attack Detected ( #3312 )
...
* [New Rule] Potential Buffer Overflow Attack
* Added timestamp_override
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 48d8b650e5
2024-01-22 15:34:03 +00:00
ebd743efd5
[New Rule] Chroot Container Escape via Mount ( #3387 )
...
* [New Rule] Chroot Container Escape via Mount
* description fix
(cherry picked from commit ec5f4d596c
2024-01-22 08:23:26 +00:00
0a6ad4adc3
[Security Content] Add Investigation Guides to Linux Persistence Rules - 2 ( #3350 )
...
* [Security Content] Add IGs to Persistence - 2
* [Security Content] Add IGs to Persistence - 2
* fixes
* fix
* added ig note
(cherry picked from commit 26747aa8a4
2024-01-20 18:41:48 +00:00
8a2475b5e3
Linux Process Capabilities Enrichment Detection Rules ( #3366 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com
(cherry picked from commit 1a2ef4b867
2024-01-18 17:24:51 +00:00
7367f37584
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field ( #3368 )
...
* updated timestamp override unit test; fixed rules missing this field
* fixed flake error
* simplified and consolidated logic
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added comments
* updated logic; added comments; removed unused variables
* removed custom python script
* updated dates
* removed deprecated rule change
* updated dates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1c10c37468
2024-01-17 19:20:19 +00:00
5601eadfc1
[New Rule] Network Connection via Sudo Binary ( #3389 )
...
* [New Rule] Network Connection via Sudo Binary
* description grammar fix
(cherry picked from commit 4301dacfb8
2024-01-17 08:53:09 +00:00
e7c4eb743a
[New Rule] Kernel Driver Load by non-root User ( #3378 )
...
* [New Rule] Kernel Driver Load by non-root User
* setup note change
* removed unnecessary index
(cherry picked from commit a9285445cf
2024-01-17 08:41:26 +00:00
8c2415c00b
Linux Rule Tuning ( #3379 )
...
(cherry picked from commit 24d5528ab0
2024-01-11 12:42:19 +00:00
2f8ce915ab
[Rule Tuning] Dynamic Linker Copy ( #3349 )
...
(cherry picked from commit df86882036
2024-01-08 10:01:39 +00:00
f3273f1dac
[Rule Tuning] Linux DR Tuning - Part 3 ( #3322 )
...
* [Rule Tuning] Linux DR Tuning - Part 3
* small fix
* typo
* coffee
* Update persistence_cron_job_creation.toml
* Update persistence_shared_object_creation.toml
(cherry picked from commit 6c91c1597d
2024-01-08 09:22:14 +00:00
78618a1191
[Rule Tuning] Linux DR Tuning - Part 2 ( #3321 )
...
* [Rule Tuning] Linux DR Tuning - Part 2
* [Rule Tuning] Linux DR Tuning - Part 2
* fix
* Update execution_shell_suspicious_parent_child_revshell_linux.toml
(cherry picked from commit 36226e5428
2024-01-08 09:12:44 +00:00
9017653e37
[Rule Tuning] Linux DR Tuning - Part 1 ( #3316 )
...
* [Rule Tuning] Linux DR Tuning - Part 1
* fix
* Update command_and_control_linux_kworker_netcon.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_file_mod_writable_dir.toml
(cherry picked from commit b533642272
2024-01-08 08:55:30 +00:00
42fdcbef3e
[Security Content] Add Investigation Guides to Linux C2 Rules ( #3247 )
...
* [Security Content] Add Investigation Guides to Linux C2 Rules
* Applied feedback
(cherry picked from commit 91a757a018
2023-12-18 16:07:52 +00:00
dae8e76cd4
[Tuning & New Rule] Linux Reverse Shell & DR Tuning ( #3254 )
...
* [Rule Tuning & New Rule] Linux Reverse Shell
* [Tuning & New Rule] Linux Reverse Shells
* Name change
* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_shell_via_child_tcp_utility_linux.toml
* Update execution_shell_via_background_process.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 84824c67fd
2023-12-18 08:41:34 +00:00
7c4a827fb8
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 ( #3288 )
...
* [Security Content] Add IGs to Persistence Rules
* Cleaned query
* IG description fix
* Added related rules
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 6c614eb102
2023-12-11 12:58:41 +00:00
Ruben Groenewoud