90bc760c56
Update README.md to fix etc path ( #2913 )
2023-07-06 15:00:45 -04:00
e5d6d6e4a7
[New Rule] sus cmds executed by unknown executable ( #2858 )
...
* [New Rule] sus cmds executed by unknown executable
* added an event.action filter
* Added endgame support, fixed stack version comment
* Update execution_suspicious_executable_running_system_commands.toml
* Update rules/linux/execution_suspicious_executable_running_system_commands.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_suspicious_executable_running_system_commands.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-06 17:32:56 +02:00
4e0b7427b7
[New Rules] ftp/rdp bruteforce ( #2910 )
...
* [New Rules] ftp/rdp bruteforce
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update non-ecs-schema.json
* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-06 17:16:01 +02:00
d5dee5a6c8
[New Rules] sysctl and modprobe enumeration ( #2844 )
...
* [New Rules] sysctl and modprobe enumeration
* Update discovery_linux_modprobe_enumeration.toml
* Update discovery_linux_sysctl_enumeration.toml
* reverted manifest/schema update
* updated tags
* Update discovery_linux_modprobe_enumeration.toml
2023-07-06 16:46:54 +02:00
cd7a52f1b1
[Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release ( #2895 )
...
* forking rules with version collisions
* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
2023-07-06 10:39:20 -04:00
64b3fa8d1d
[New Rule] Kernel Load/Unload via Kexec Detected ( #2846 )
...
* [New Rule] Kernel Load/Unload via Kexec
* Added additional references
* changed rule name
* changed the query to be more precise
* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* changed description based on feedback
* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-07-06 16:03:27 +02:00
646c316b66
[New Rules] Linux Reverse Shells ( #2905 )
...
* [New Rules] Linux Reverse Shells
* [New Rules] Linux Reverse Shells
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Delete UDP rule to add in separate PR
* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Deleted one rule and tuned the others
* Improved the rules' performance
* Added the reverse_tcp rule back after tuning
* Update execution_shell_via_lolbin_interpreter_linux.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-07-06 15:27:57 +02:00
9e5f69dc5b
[FR] Add additional verification to BBR unit tests ( #2909 )
...
* Fixes bug in unit tests
* fix linting
2023-07-06 09:06:36 -04:00
d8969f8df1
RTA For Linux DR and ER Rules ( #2904 )
2023-07-04 18:46:28 +05:30
78055bbeee
[New Rule] Suspicious Proc Enumeration ( #2845 )
...
* [New Rule] Suspicious Proc Enumeration
* Update rules/linux/discovery_suspicious_proc_enumeration.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/discovery_suspicious_proc_enumeration.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* fix tags
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-07-04 11:34:56 +02:00
df0a1facd1
[WMI Incoming Lateral Movement] Modify Existing Query Exception ( #2843 )
...
* Tune WMI Incoming Lateral Movement
* Tune WMI Incoming Lateral Movement
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-03 17:12:05 -04:00
f78de8c9d4
Add MS Office exceptions to query ( #2836 )
...
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-03 16:09:17 -04:00
7a1f376a34
[New Rules] Conversion of deprecated ERs over to DRs ( #2877 )
...
* [Conversion] Data Encrypted via OpenSSL
* [Conversion] sus funzip extraction/decompression
* [Conversion] LD_PRELOAD env var process injection
* fix unit testing failure
* suspecting endgame incompatibility
* fixed typo
* added LD_LIBRARY_PATH
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* Added exclusions for FPs
* Update rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_data_encrypted_via_openssl.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-07-02 10:39:44 +02:00
35ea2727dc
[Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades ( #2850 )
2023-06-30 18:01:35 -04:00
7aa8a7b5fb
[Rules Tuning] diverse tuning ( #2506 )
...
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_remote_services.toml
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_rdp_enabled_registry.toml
* Update persistence_scheduled_task_updated.toml
* Update persistence_scheduled_task_updated.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update rules/windows/persistence_scheduled_task_updated.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 18:57:00 +01:00
ff2c951136
[New Rule] Potential Masquerading as Communication Apps ( #2780 )
...
* [New Rule] Potential Masquerading as Communication Apps
* ocd
* Update defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_communication_apps.toml
* Update rules/windows/defense_evasion_masquerading_communication_apps.toml
* Update rules/windows/defense_evasion_masquerading_communication_apps.toml
* Apply suggestions from code review
* Merge branch 'main' into comms_masquerade
* Move to BBR folder
* Revert "Merge branch 'main' into comms_masquerade"
This reverts commit 726c63c0cab782a83d9f505e54e55d4edd1f5589.
2023-06-30 11:46:54 -03:00
d5dddae0ef
[Rule Tuning] Suspicious PowerShell Engine ImageLoad ( #2721 )
...
* [Rule Tuning] Suspicious PowerShell Engine ImageLoad
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-06-30 10:56:13 -03:00
2a4749d3d0
[New Rule] New Term Rule for USB Devices ( #2644 )
...
* Create
* Update initial_access_first_time_seen_usb_name.toml
* Update rules/windows/initial_access_first_time_seen_usb_name.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/initial_access_first_time_seen_usb_name.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update initial_access_first_time_seen_usb_name.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-30 10:41:38 -03:00
cf4bbfbcef
[New ER RTA] Potential Linux Rev Shell via Java ( #2897 )
...
* [New ER RTA] Potential Linux Rev Shell via Java
* Added execute permissions to the RTA
* Added 10 millisecond sleep to fix sequencing issue
* Update exec_java_revshell_linux.py
* Added source code
2023-06-30 14:21:06 +02:00
9794f8f0af
[New Rule] Postgresql Code Execution ( #2863 )
...
* [New Rule] Postgresql Code Execution
* Update rules/linux/execution_remote_code_execution_via_postgresql.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_remote_code_execution_via_postgresql.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 13:17:24 +02:00
2ff4584456
load unsupported rule type from schema ( #2893 )
2023-06-29 15:32:32 -04:00
d9bc209c76
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 ( #2892 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-29 12:25:51 -04:00
35d373b2bd
[FR] 8.9 Release Preparation and Update Main Branch to 8.10 ( #2891 )
...
* adding new branch and refreshed schema
* fixed flake errors
2023-06-29 11:39:11 -04:00
cec41b4072
[FR Build a limited compatible rule ndjson for older stacks ( #2885 )
2023-06-29 10:18:24 -04:00
73970eb2f2
[FR] Add Support for Multi-Fields and Validation in Rules ( #2882 )
2023-06-28 20:35:33 -04:00
a7e605a0e5
[Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 ( #2889 )
...
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823
* Add exception to unit test
* fixed linting
* proper linting fix
* updated to add to definitions.py
* fix linting
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2023-06-28 15:55:43 -03:00
493c638252
[Bug] Add pywin32 to windows install ( #2886 )
2023-06-28 10:47:29 -04:00
8703c65f87
[Tuning] Azure Network Packet Capture Detected ( #2888 )
2023-06-28 16:32:56 +02:00
90c79a8283
[Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules ( #2777 )
...
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules
* .
* Update threat_intel_indicator_match_hash.toml
* Update to include expiring rules, exclude expiring indexes
* .
* Apply suggestions from code review
* Push changes
* Update pyproject.toml
* Revert "Update pyproject.toml"
This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.
* Update pyproject.toml
* Update integration-schemas.json.gz
* Revert "Update integration-schemas.json.gz"
This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.
* Revert integrations-manifests to the one from main
* Fix maturity
* Update Name
* Update ignore_ids with the indicator rules guid
* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml
* Make changes to use labels
* Update non-ecs-schema.json
* Update rules/cross-platform/threat_intel_fleet_integrations.toml
* Apply suggestions from code review
* Backport to 8.5
* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators
* Update threat_intel_indicator_match_hash.toml
* Update threat_intel_indicator_match_url.toml
* Update threat_intel_indicator_match_url.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-28 10:22:24 -03:00
c94c79ba77
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 ( #2883 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-27 12:00:19 -04:00
5da2771c12
[New Rule] [BBR] Expired or Revoked Driver Loaded ( #2880 )
...
* [New Rule] Expired or Revoked Driver Loaded
* Update privilege_escalation_expired_driver_loaded.toml
* Update rules_building_block/privilege_escalation_expired_driver_loaded.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-27 09:18:35 -03:00
48cf95c8eb
[Rule Tuning] Change Network Rules to Use Network Packet Capture Integration ( #2665 )
...
* updated indexes and updated dates
* added network_traffic integration tag to rules
* reverting changes to resolve conflicts
* metadata changes; indexes changed; schemas and manifest updated
* updated default telnet port connection rule
* updating integration manifests
* adjusted rules; updated integrations; deduplicate packages
2023-06-26 17:35:49 -04:00
0f6ded452b
[New RTA] Endpoint Rules ( #2788 )
...
* [New RTA] Endpoint Rules
Suspicious Access to LSA Secrets Registry
Security Account Manager (SAM) Registry Access
Privilege Escalation via EXTENDED STARTUPINFO
Potential Privilege Escalation via Token Impersonation
Suspicious Impersonation as Trusted Installer
NTDLL Loaded from an Unusual Path
Sensitive File Access - Unattended Panther
Potential Discovery of Windows Credential Manager Store
Potential Discovery of DPAPI Master Keys
Potential Process Creation via ShellCode
* Update evasion_ntdll_from_unusual_path.py
* Update credaccess_reg_query_privesc_token_manip.py
* Create shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* fix import
* Update credaccess_reg_query_privesc_token_manip.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_winexec_calc.py
* DLL Side Loading via a Copied Microsoft Executable
* Update sideload_msbin_faultrep.py
* DLL SideLoad via a Microsoft Signed Binary
* Update sideload_msbin_faultrep.py
* C2 via ISO file
* ++
* persistence from ISO
* Update exec_persistence_from_iso.py
* replaced win32con with actual static values
* Update sensitive_file_access.py
* Update credaccess_reg_query_privesc_token_manip.py
* Update ExecFromISOFile.ps1
* Suspicious ImageLoad from an ISO Mounted Device
* Update execution_iso_dll_rundll32.py
* Update c2_dns_from_iso.py
* Update shellcode_load_ws2_32_unbacked.py
* Update shellcode_load_ws2_32_unbacked.py
* Update impersonate_trusted_installer.py
* Library Loaded via a Callback Function
* Update evasion_loadlib_via_callback.py
* ++
* added ntds.dit access
* Security Account Manager (SAM) File Access
* Update sensitive_file_access.py
* Update sensitive_file_access.py
* Update sensitive_file_access.py
* Suspicious Execution via DotNet Remoting
* Update evasion_addinproc_certoc.py
* Update evasion_addinproc_certoc_odbc.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* ++
* Update evasion_unhook_ldrloaddll.py
* added ETW and AMSI patching
* Update evasion_oversized_dll_load.py
* Update sensitive_file_access.py
added technique ids
* Update c2_dns_from_iso.py
fixed endpoint rule.ids array
* moved getppid to common.py
* moved impersonate_system to common
* moved inject to common.py
* Update credaccess_sam_from_vss.py
* Update evasion_addinproc_certoc_odbc_gfxdwn.py
* Update evasion_loadlib_via_callback.py
* Update evasion_oversized_dll_load.py
* Update evasion_patch_etw_amsi.py
* Update execution_iso_dll_sideload.py
* Update evasion_unhook_ldrloaddll.py
* Update exec_persistence_from_iso.py
* Update execution_iso_dll_rundll32.py
* Update sensitive_file_access.py
* Update shellcode_load_ws2_32_unbacked.py
* ++
* Update rta/c2_dns_from_iso.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_reg_query_privesc_token_manip.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/common.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update shellcode_winexec_calc.py
* Update shellcode_load_ws2_32_unbacked.py
* Update c2_dns_from_iso.py
* Update evasion_oversized_dll_load.py
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update evasion_oversized_dll_load.py
* Update rta/credaccess_sam_from_vss.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update credaccess_sam_from_vss.py
* Update c2_dns_from_iso.py
* ++
* ++
* ++
* Update impersonate_trusted_installer.py
* Update evasion_patch_etw_amsi.py
* Update credaccess_reg_query_privesc_token_manip.py
* ++
* Update evasion_ntdll_from_unusual_path.py
* Update evasion_oversized_dll_load.py
* ++
* Update common.py
* Update ExecFromISOFile.ps1
* Update evasion_ntdll_from_unusual_path.py
* add cpp source files
* Update rta/common.py
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/src/LoadLib-Callback64.cpp
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/src/rta_unhook_ldrload.cpp
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rta/impersonate_trusted_installer.py
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 16:58:30 +01:00
aaa4ce2ea0
[BUG] test_all_rule_queries_optimized does not run on rules ( #2823 )
...
* Fixed kql -> kuery in test_all_rule_queries_opt...
* all queries optimized
* manually reconciled all rules that failed due to toml escaped chars
* merge rules from main
* Rules needing optimization
* Fix optimized note
* fix another note
* another note fix
* fixing whitespace
* Updated for readability
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 10:58:31 -04:00
d829b145ef
[Bug] Fix Tag Navigator Generation ( #2875 )
...
* bug fix for tag navigator generation
* addressing flake errors
* added unit test to ensure prefix exists
* updated unit test case sensitivity
* moved expected tags to definitions.py
* removed expected prefixes
* revert downloadable updates JSON file
2023-06-23 10:44:55 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
7d758fdacd
[New Rule] Potential Malicious File Downloaded from Google Drive ( #2862 )
...
* new rule for malicious files downloaded from Google Drive
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
* removed unecessary tags
* removed extra space
* updated false positives
* fix unit testing failure
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* removed note field
* added cmd.exe
* updated updated_dated
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* removed LoLBins to capture unknown binaries involved
* removed code signature requirements
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-06-22 14:10:14 -04:00
7c5f17e30c
[New Rules] User / Group Creation & Privileged Group Addition ( #2546 )
...
* [New Rules] user/group creation
* Update rules/linux/persistence_linux_group_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added backdoor user account
* added host.os.type == linux for unit testing fix
* unit testing fixes
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Added OSQuery to Investigation Guides
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guides to add in future PR
* Fixed some issues with the rules
* fixed typo
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_group_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-22 15:15:48 +02:00
71186c8788
[Rule Tuning] Potential Persistence Through Run Control Detected ( #2857 )
...
* [Rule Tuning] changed rule type to new_terms
* Updated min stack comment
* Update persistence_rc_script_creation.toml
* Changed description, removed file.path from new_terms field because it is not necessary
* added host.id to new terms field and bumped up min stack
2023-06-22 13:39:36 +02:00
7d64dc2a87
[Rule tunings / New Rule] Kernel Unload and Enumeration ( #2838 )
...
* [Rule Tunings] Kernel Module Enumeration / Removal
* [Rule Tunings] Kernel Module Enumeration and Removal
* Deleted copy of wrong file
* EQL Conversion and made the rule more resilient
* Converted rules to EQL and made rules more resilient
* Removed unwanted rule from PR
* fixed unit tests
* fixed unit testing, removed endgame support
* Added a rule to detect kernel module enum via proc
* Did some additional tuning, 0 hits in RedSector now
2023-06-22 10:11:52 +02:00
082e92c95c
[Rule Tuning] Adjust Okta ThreatInsight Rule to Promotion ( #2854 )
...
* adding new rule for Okta ThreatInsight threat suspected
* added promotion tag
* removed new rule and tuned existing
* added promotion tag
* Update rules/integrations/okta/okta_threatinsight_threat_suspected_promotion.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-21 09:47:27 -04:00
6449cecd08
[FR] Add support for building block rules (BBR) ( #2822 )
...
* added test bbr
* initial implementation
* Added Unit test and exempted bbr from integrations
* fixed linting
* Add schema validation to building block rules
* add separate error messages
* fixed linting
* Add testing bbr validation
* fixed linting
* Add default values
* fixed linting
* added defaults
* fixed linting
* cleaned up test rule
* removed .gitkeep
* read .gitkeep
* Switch to using validates_schema
* addressing some linting
* fixed linting
* Update detection_rules/schemas/definitions.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* add env variable check
* fix skip function
* updated name
* Update detection_rules/schemas/definitions.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Add bbr validation unit test
* Clean up comments
* fix linting
* Move convert time to utils
* Moved to rules_building_block
* Add check for only bbr in bbr dir
* fix linting
* additional linting fix
* Changed to bbr rule loader
* fixed bbr default
* Updated error messages and README
* fixed more linting
* Updating root level README
* Fixed convert_time_span calls
* fixed typo in unit test logic and updated txt
* fixed error message
* updated comment for clarity
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Updated validation methods for clarity
* fix doctring location
* Fixed typo
* updated error messages.
* removed excess whitespace
* Add per rule bypass
* Add single rule bypass
* Split unit tests
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-20 09:00:30 -04:00
dc05f1d8f3
[New Rule] Sus Network Activity from Unknown Executable ( #2856 )
...
* [New Rule] Sus Network Activity from Unknown Executable
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added endgame support, changed min stack comment
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-14 23:27:29 +02:00
b4a218ed1c
[New Rule] Shared Object Created ( #2848 )
...
* [New Rule] Shared Object Created or Changed
* Removed sub technique
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* changed description slightly
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added T1574.006
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-13 22:51:07 +02:00
01334a28bd
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8 ( #2853 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-13 09:48:24 -04:00
4f9f28c370
[New Rules] Cron Job / Systemd Service Creation ( #2847 )
...
* [New Rules] Cron Job/Systemd Service Creation
* Added execution to tags
* Added additional EndGame Support
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-13 09:44:44 +02:00
644d2f5b26
[New Rule] New Systemd Timer Created ( #2601 )
...
* [New Rule] New Systemd Timer Created
* improve query runtime performance
* added process.name entries for alert reduction
* attempt to fix gh unit testing failure
* added host.os.type==linux to fix unit test error
* Added OSQuery to investigation guides
* added additional process names
* removed investigation guides to add in future PR
* removed investigation guide tag
* Changed rule to new_terms rule to reduce FPs
* fixed query
* formatting fix
* Learnt another thing about KQL.. Formatting fix.
* unit test fix
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-13 09:15:47 +02:00
450e84ffa2
[FR] Add host family to data path ( #2839 )
...
* add rounding logic
* cleaned up event_sort
* fix linting
* Added host_family to ndjson file path
* linting fix
* Added ability to manually supply host_os_family
* fixed linting
* Update detection_rules/utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update detection_rules/utils.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* linting updates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-12 16:03:33 -04:00
1e404cde34
[Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to query exceptions ( #2831 )
...
* Add Ssms.exe to query exceptions
* Changed updated_date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-12 16:15:47 -03:00
8db42da040
Limit backports to 8.3+ ( #2450 )
...
* Drop Rule Support for Outdated Stack Versions Less Than 8.3
* changed version lock key assignment logic and updated version lock file
* added comment to stack-schema-map file
* changed version lock key assignment logic to use custom Version method)
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* reverting version lock file to original
* updated version lock from adjusted comparison logic of stack versions
* updated logic in devtools; removed < 8.3.0 in version lock file
* trimmed lock version before merge
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-12 12:51:40 -04:00
Mika Ayenson