9e4fce6586
[Rule Tuning] Potential Linux Hack Tool Launched ( #4191 )
2024-10-25 17:23:48 +02:00
b0bba39007
[Rule Tuning] Linux User Added to Privileged Group ( #4206 )
2024-10-25 14:21:20 +02:00
d0225c37df
[Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' ( #4169 )
...
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'
* added missing bracket
* linted
* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
* removed intelephense whitelisting
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-10-18 11:50:57 -04:00
42f6c8f9a5
[Rule Tuning] Q2 Linux DR Tuning - Part 4 ( #4165 )
2024-10-18 17:13:44 +02:00
b309bcb7ae
[Rule Tuning] Q2 Linux DR Tuning - Part 5 ( #4166 )
...
* [Rule Tuning] Q2 Linux DR Tuning - Part 5
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_rpm_package_installation_from_unusual_parent.toml
2024-10-18 17:02:26 +02:00
601254488b
[BBR Promotion] Q2 Linux BBR Promotion ( #4172 )
...
* [BBR Promotion] Q2 Linux BBR Promotion
* Update collection_linux_clipboard_activity.toml
* Update defense_evasion_creation_of_hidden_files_directories.toml
2024-10-18 16:55:09 +02:00
ac6a49eeea
[Rule Tuning] Q2 Linux DR Tuning - Part 6 ( #4167 )
2024-10-18 16:25:54 +02:00
39fc23cb3d
[Rule Tuning] Q2 Linux DR Tuning - Part 3 ( #4164 )
...
* [Rule Tuning] Q2 Linux DR Tuning - Part 3
* Update execution_suspicious_executable_running_system_commands.toml
2024-10-18 16:18:14 +02:00
3982228132
[Rule Tuning] Q2 Linux DR Tuning - Part 2 ( #4163 )
2024-10-18 16:07:09 +02:00
af9f9e2456
[Rule Tuning] Q2 Linux DR Tuning - Part 1 ( #4162 )
...
* [Rule Tuning] Q2 Linux DR Tuning - Part 1
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
2024-10-18 15:59:51 +02:00
5b41bbd5e9
[Tuning] Updated references ( #4114 )
2024-10-01 08:43:14 -03:00
a3e89a7fab
[New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) ( #4106 )
...
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE)
* Description update
* Investigation Guide Update
2024-09-27 14:48:03 +02:00
b80d8342d6
[Docs | Rule Tuning] Add blog references to rules ( #4097 )
...
* [Docs | Rule Tuning] Add blog references to rules
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from code review
* Update google_workspace blog references
* add okta blog references
* Update dates
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-25 15:19:20 -05:00
e30dc312e4
[Tuning] Potential Execution via XZBackdoor ( #4053 )
...
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
2024-09-05 20:13:32 +01:00
be611be8b3
[New Rule] Instance Metadata Service (IMDS) API Requests - Linux ( #4005 )
...
* new rule metadata API requests
* updated description and name
* added Ipv6
* adjusted query
* rule name fix
* changed to EQL; added discovery tactic
* removed timestamp override
* adding host.os.type
* adjusted description
* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* adjusted query
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-05 10:08:32 -04:00
9f964b68a4
[New Rule] Root Certificate Installation ( #4025 )
...
* [New Rule] Root Certificate Installation
* Update defense_evasion_root_certificate_installation.toml
* Update rules/linux/defense_evasion_root_certificate_installation.toml
2024-09-03 17:40:17 +02:00
b3a75899d5
[New Rule] SELinux Configuration Creation or Modification ( #4024 )
...
* [New Rule] SELinux Configuration Creation or Modification
* Update rules/linux/defense_evasion_selinux_configuration_creation_modification.toml
* Rename defense_evasion_selinux_configuration_creation_modification.toml to defense_evasion_selinux_configuration_creation_or_renaming.toml
* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
2024-09-01 10:14:59 +02:00
fb07033159
[New Rule] Attempt to Disable Auditd Service ( #4028 )
...
* [New Rule] Attempt to Disable Auditd Service
* Update defense_evasion_attempt_to_disable_auditd_service.toml
* Update rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-09-01 09:51:13 +02:00
30cd1b6a00
[New Rule] Potential Defense Evasion via Doas ( #4027 )
...
* [New Rule] Potential Defense Evasion via Doas
* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml
* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Rename defense_evasion_doas_configuration_creation_or_modification.toml to defense_evasion_doas_configuration_creation_or_rename.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-08-29 21:19:13 +02:00
19b4a4d7dd
[New Rule] SSL Certificate Deletion ( #4026 )
...
* [New Rule] SSL Certificate Deletion
* Update defense_evasion_ssl_certificate_deletion.toml
* Update rules/linux/defense_evasion_ssl_certificate_deletion.toml
2024-08-29 21:10:59 +02:00
6aaccc64a6
[New Rule] AWS CLI Command with Custom Endpoint URL ( #4002 )
...
* new rule AWS CLI COmmand with Custom Endpoint URL
* fixed query
* added host os type
* added timestamp override
2024-08-28 09:58:08 -04:00
162a48c97f
[New Rule] Openssl Client or Server Activity ( #3930 )
...
* [New Rule] Openssl Client or Server Activity
* Endgame support
* Added one exclusion
* Update execution_shell_openssl_client_or_server.toml
* Update execution_shell_openssl_client_or_server.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-22 16:53:31 +02:00
c58ae92dd1
[New Rule] Dynamic Linker Creation or Modification ( #3969 )
...
* [New Rule] Dynamic Linker Creation or Modification
* Removed new line from description
* Update rules/linux/defense_evasion_dynamic_linker_file_creation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update defense_evasion_dynamic_linker_file_creation.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 10:25:55 +02:00
55e81c1169
[Rule Tuning] Attempt to Disable IPTables or Firewall ( #3972 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 10:18:11 +02:00
b6ffb10ab2
[Rule Tuning] System Log File Deletion ( #3970 )
2024-08-10 10:04:56 +02:00
6e3e5f6373
[Rule Tuning] Potential Disabling of AppArmor ( #3971 )
...
* [Rule Tuning] Potential Disabling of AppArmor
* Update query
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 09:51:45 +02:00
93d928625d
[Tuning] Executable Bit Set for Potential Persistence Script ( #3929 )
2024-08-02 21:13:19 +02:00
485312d5f2
[Rule Tuning] System Binary Moved or Copied ( #3933 )
2024-08-01 18:47:58 +02:00
134b842361
[Rule Tuning] Removed Endgame from Incompatible Rules ( #3931 )
...
* [Rule Tuning] Removed Endgame from Incompatible Rules
* ++
2024-07-31 09:26:38 +02:00
f3b0dc1954
Prep for next release 8.16 ( #3919 )
2024-07-24 11:19:56 -04:00
baee89de9b
Revert "Prep for next release 8.16 ( #3914 )"
...
This reverts commit 4245a815d2
2024-07-23 14:06:04 -04:00
4245a815d2
Prep for next release 8.16 ( #3914 )
...
* Prep for Release 8.16
* Add subscription
* Remove double subscription
* Formatting
* Formatting
* Revert Beaconing rules minstack and lock version
2024-07-23 13:04:03 -04:00
03c99d22d3
Revert "Prep for Release 8.16 ( #3913 )"
...
This reverts commit 01135085f6
2024-07-23 09:50:04 -05:00
01135085f6
Prep for Release 8.16 ( #3913 )
2024-07-23 09:42:26 -05:00
a71bbe0cf8
[Rule Tuning] Misc. DR Rule Tuning - Part 2 ( #3905 )
...
* [Rule Tuning] Misc. DR Rule Tuning - Part 2
* ++
* Update privilege_escalation_suspicious_uid_guid_elevation.toml
* Update rules/linux/persistence_systemd_service_creation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-19 15:21:35 +02:00
76fdd549a3
[Rule Tuning] Misc. DR Rule Tuning ( #3904 )
...
* [Rule Tuning] Misc. DR Rule Tuning
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
* I love KQL validation
2024-07-19 15:13:42 +02:00
39350847d6
[New Rules] Git Hook execution/netcon ( #3896 )
...
* [New Rules] Git Hook execution/netcon
* TImestamp formatting change
* Update rules/linux/persistence_git_hook_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-17 15:28:37 +02:00
83d6eeb844
[New Rule] RPM Package Installed by Unusual Parent Process ( #3882 )
...
* [New Rule] RPM Package Installed by Unusual Parent Process
* Update persistence_rpm_package_installation_from_unusual_parent.toml
* Update persistence_rpm_package_installation_from_unusual_parent.toml
2024-07-17 15:12:17 +02:00
8c5910b1a6
[New Rule] Unsafe Docker Container Creation ( #3884 )
...
* [New Rule] Unsafe Docker Container Creation
* Update execution_potentially_overly_permissive_container_creation.toml
* Update execution_potentially_overly_permissive_container_creation.toml
* Update execution_potentially_overly_permissive_container_creation.toml
2024-07-17 15:03:07 +02:00
e5d08a2c38
[Rule Tuning] Updated setup guide ( #3885 )
...
* [Rule Tuning] Updated setup guide
* Update persistence_user_or_group_creation_or_modification.toml
* Update rules/linux/persistence_user_or_group_creation_or_modification.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update rules/linux/persistence_user_or_group_creation_or_modification.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-07-17 14:39:38 +02:00
56e8e059b6
[New Rules] Docker Entrypoint Netcon / Nsenter Escape ( #3883 )
...
* [New Rules] Docker entrypoint netcon / nsenter escape
* ++
* Update privilege_escalation_docker_escape_via_nsenter.toml
* Update privilege_escalation_docker_escape_via_nsenter.toml
* Better description formatting
* Update execution_egress_connection_from_entrypoint_in_container.toml
* Update privilege_escalation_docker_escape_via_nsenter.toml
2024-07-15 13:07:36 +02:00
82a0cc80a7
[New Rules] DPKG Execution/Installation ( #3879 )
...
* [New Rules] DPKG Execution/Installation
* Update rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
* Update persistence_dpkg_package_installation_from_unusual_parent.toml
* Update persistence_dpkg_unusual_execution.toml
* Update persistence_dpkg_unusual_execution.toml
2024-07-15 12:59:03 +02:00
21485b16fa
[Tuning & Changes] Misc rule/hunt tuning ( #3875 )
...
* [Tuning & Changes] Misc rule/hunt tuning
* Bump update_date
* ++
* Updated docs
2024-07-11 14:55:33 +02:00
6a2f5e7138
[Bug] Persistence ssh key generation index pattern ( #3873 )
...
* fix persistence_ssh_key_generation.toml
* Update persistence_ssh_key_generation.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-07-08 10:27:52 -03:00
64f0e258cb
[New Rule] Linux Shadow File Modification ( #3737 )
...
* [New Rule] Linux User Account Password Change
* Update rules/linux/persistence_user_password_change.toml
* Update persistence_user_password_change.toml
* Update persistence_user_password_change.toml
* Update persistence_user_password_change.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-07-05 10:03:24 +02:00
b311d49c2a
[New Rules] Git Hook Execution/File Creation ( #3832 )
...
* [New Rules] Git Hook Execution/File Creation
* Update rules/linux/persistence_git_hook_file_creation.toml
* Update persistence_git_hook_process_execution.toml
2024-06-28 11:34:32 +02:00
f33c25b118
[New Rule] DNF Package Manager Plugin File Creation ( #3822 )
...
* [New Rule] DNF Package Manager Plugin File Creation
* Update persistence_dnf_package_manager_plugin_file_creation.toml
2024-06-28 11:14:48 +02:00
edc501accf
[New Rules] rc.local Execution Rules ( #3813 )
...
* [New Rules] rc.local Execution Rules
* ++
* Update rules/linux/persistence_rc_local_error_via_syslog.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-28 09:59:26 +02:00
cd4fe07c2c
[New Rule & Tuning] Systemd Generator Created ( #3801 )
2024-06-27 22:00:48 +02:00
e941645b2f
[Rule Tuning] rc.local/rc.common File Creation ( #3805 )
2024-06-27 21:50:49 +02:00
Ruben Groenewoud