963d01ba89
[New Rule] Kubernetes Suspicious Assignment of Controller Service Account ( #2298 )
...
* [New Rule] Kubernetes Suspicious Assignment of Controller Service Account
Issues
--
#2034
Summary
--
This rule detects a request to attach a controller service account to an existing or new pod running in the kube-system namespace. By default, controllers running as part of the API Server utilize admin-equivalent service accounts hosted in the kube-system namespace. Controller service accounts aren't normally assigned to running pods and could indicate adversary behavior within the cluster. An attacker that can create or modify pods or pod controllers in the kube-system namespace, can assign one of these admin-equivalent service accounts to a pod and abuse their powerful token to escalate privileges and gain complete cluster control.
* Update privilege_escalation_suspicious_assignment_of_controller_service_account.toml
updated query after testing
* Update non-ecs-schema.json
added new field used in query update
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-09-19 13:35:37 -04:00
a9364beef9
[New Rule] Kubernetes Denied Service Account Request ( #2299 )
...
* [New Rule] Kubernetes Denied Service Account Request
## Issue
#2040
## Summary
This rule detects when a service account makes an unauthorized request for resources from the API server. Service accounts follow a very predictable pattern of behavior. A service account should never send an unauthorized request to the API server. This behavior is likely an indicator of compromise or of a problem within the cluster. An adversary may have gained access to credentials/tokens and this could be an attempt to access or create resources to facilitate further movement or execution within the cluster.
* Update discovery_denied_service_account_request.toml
updated the query after testing to reduce false positives
* Update rules/integrations/kubernetes/discovery_denied_service_account_request.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-09-19 13:22:20 -04:00
99dcfe2055
[New Rule] Multiple Vault Web credentials were read ( #2281 )
...
* [New Rule] Multiple Vault Web credentials were read
https://github.com/elastic/detection-rules/issues/2164
* Update credential_access_saved_creds_vault_winlog.toml
* Update non-ecs-schema.json
* Update rules/windows/credential_access_saved_creds_vault_winlog.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-09-19 19:07:05 +02:00
812a54fc70
[New Rule] Custom Gmail Route Created or Modified - Google Workspace ( #2296 )
...
* adding new rule
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
* Update rules/integrations/google_workspace/collection_google_workspace_custom_gmail_route_created_or_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted rule description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-09-19 13:03:23 -04:00
4609a5e8fe
[New Rule] Scheduled Task Creation using winlog ( #2277 )
...
* [New Rule] Scheduled Task Creation using winlog
https://github.com/elastic/detection-rules/issues/2164 (T1053.005 - Scheduled Task)
- A scheduled task was created
- A scheduled task was updated
- Temp scheduled task (creation followed by deletion, rare and can be sign of proxy execution via schedule service)
* Update defense_evasion_persistence_temp_scheduled_task.toml
* Update defense_evasion_persistence_temp_scheduled_task.toml
* Update defense_evasion_persistence_temp_scheduled_task.toml
* toml-lint
* remote task
* Update non-ecs-schema.json
* waaaaaaaaaaaaaa
* Update persistence_scheduled_task_updated.toml
* Update persistence_scheduled_task_creation_winlog.toml
* Update defense_evasion_persistence_temp_scheduled_task.toml
* Update lateral_movement_remote_task_creation_winlog.toml
* event.ingested
* Update lateral_movement_remote_task_creation_winlog.toml
* Update defense_evasion_persistence_temp_scheduled_task.toml
* Update defense_evasion_persistence_temp_scheduled_task.toml
* Update defense_evasion_persistence_temp_scheduled_task.toml
* Update defense_evasion_persistence_temp_scheduled_task.toml
* Update rules/windows/lateral_movement_remote_task_creation_winlog.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-09-19 18:50:45 +02:00
fc8ec668b1
[New Rule] Brute Force Detection - Windows ( #2275 )
...
* [New Rule] Brute Force Detection - Windows
https://github.com/elastic/detection-rules/issues/2164 (T1110 - Brute Force)
- multiple logon failure from same source address in 10s maxspan
- 5 logon failure followed by success from same source address in 5s maxspan
* non ecs
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
* fix error
* added bruteforce admin account and linted tomls
* Update credential_access_bruteforce_admin_account.toml
* Update rules/windows/credential_access_bruteforce_admin_account.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* related_rules
* 4625_errorcode_notes
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-09-19 18:43:28 +02:00
fa0310d0fb
[New Rule] Kubernetes Anonymous Request Authorized ( #2300 )
...
* [New Rule] Kubernetes Anonymous Request Authorized
## Issue
#2038
## Summary
This rule detects when an unauthenticated user request is authorized within the cluster. Attackers may attempt to use
anonymous accounts to gain initial access to the cluster or to avoid attribution of their activities within the cluster.
This rule excludes the /healthz, /livez and /readyz endpoints which are commonly accessed anonymously.
* [New Rule] Kubernetes Suspicious Change to Privileges of Running Security Context
## Issue
https://github.com/elastic/detection-rules/issues/2032
## Summary
* Delete non-ecs-schema.json
* Delete privilege_escalation_suspicious_change_to_privileges_of_running_security_context.toml
* Create non-ecs-schema.json
* Update detection_rules/etc/non-ecs-schema.json
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2022-09-19 11:33:09 -05:00
2ee5a185c7
Add test command to verify version collisions do not occur ( #2272 )
...
* Add test command to verify version collisions do not occur
* add max_allowable_version to schema and lock flow
* add max_allowable_version to all entries in version.lock
* add test-version-lock command
* use min supported stack if > locked min stack
* share lock conversion code with rule and lock to fix M.m bug
2022-09-19 09:53:30 -06:00
725f7f3480
Linux rule to detect potential ssh brute force attack ( #2291 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-09-19 20:26:18 +05:30
c2e7011ec6
break out the logic to a script and manual workflow ( #1908 )
...
* Break out the logic to a script and manual workflow with an option to skip staging files
2022-09-16 13:34:04 -04:00
ca2b3c2b7f
[New Rule] Full User-Mode Dumps Enabled System-Wide ( #2276 )
...
* [New Rule] Full User-Mode Dumps Enabled System-Wide
* Apply suggestions from review
* Update credential_access_generic_localdumps.toml
2022-09-15 16:57:00 -03:00
273c589bd4
RTA Deprecation ( #2303 )
2022-09-15 23:00:02 +05:30
ae2a98e3f7
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read ( #2283 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-09-14 22:01:46 +05:30
59297c836e
[New Rule] User Organizational Unit Changed - Google Workspace ( #2289 )
...
* adding new rule
* adjusting severity and risk
* Update rules/integrations/google_workspace/persistence_google_workspace_user_organizational_unit_changed.toml
2022-09-13 15:36:27 -04:00
e3040d8019
[Bug] Keyerror on rule-survey hits ( #2293 )
2022-09-13 11:38:29 -04:00
8c19e9ff6c
[New Rule] Bitlocker Settings Disabled - Google Workspace ( #2288 )
...
* adding new rule
* adjusted UUID
2022-09-12 16:06:01 -04:00
0358ec9d9a
Release ER Production RTAs to DR ( #2270 )
2022-09-08 12:50:39 -04:00
332ea40100
Cleanup rule survey code ( #1923 )
...
* Cleanup rule survey code
* default to only unique-ing on process name for lucene rules
* fix bug in kibana url parsing by removing redundant port from domain
* update search-alerts columns and nest fields
* fix rule.contents.data.index
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-09-06 15:53:47 -06:00
0fc8006e7a
Update RTA common.py for py3 ( #2287 )
...
* add run-all argument and initial p2 conversion
* remove unicode
* format with black
2022-09-01 09:16:39 -06:00
3ba777c1b1
[Rule Tuning] Disable Windows Firewall Rules via Netsh ( #2231 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 13:10:08 -04:00
6a6ef0ce11
[New Rule] Restrictions for Google Marketplace Modified to Allow Any App - Google Workspace ( #2268 )
...
* adding new rule
* adjusted UUID to address unit testing failures
* adjusted UUID to address unit testing failures
* adjusted references
2022-08-26 12:43:30 -04:00
bd6befb168
[New Rule] Google Drive Ownership Transferred ( #2265 )
...
* adding new rule
* adjusted query format
* adjusted file and rule name to include google workspace
* Update collection_google_drive_ownership_transferred_via_google_workspace.toml
Fixed a couple minor typos
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2022-08-26 12:41:10 -04:00
18df50443c
[Rule Tuning] Admin Role Assigned to User - Google Workspace ( #2266 )
...
* tuning rule query and att&ck mappings
* adjusted description and query formatting
* Update rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adjusted risk and severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 12:35:44 -04:00
cd2539f1eb
[New Rule] User Group Access Modified to Allow External Access ( #2264 )
...
* adding new rule
* adjusting rule name, file name and description
* adjusted att&ck technique
* adjusted file and rule name to include google workspace
* adjusted references
* Update persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml
Fixed minor typo
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2022-08-26 12:25:29 -04:00
c0a339e277
[New Rule] 2SV Policy Disabled - Google Workspace ( #2271 )
...
* adding new rule
* adjusted file name, query and rule name
2022-08-26 12:22:54 -04:00
e5399bc148
[New Rule] Application Removed from Blocklist - Google Workspace ( #2267 )
...
* adding new rule
* Update rules/integrations/google_workspace/defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 12:16:41 -04:00
97e42d01d8
[Rule Tuning] SUNBURST Command and Control Activity ( #2232 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-08-26 13:11:22 -03:00
d37eac8d9d
Add test that newly introduced build-time fields for a min_stack for … ( #2262 )
...
* add test that newly introduced build-time fields for a min_stack for applicable rules.
* account for rules without min_stack_version
* limit test to >= stack ver
2022-08-25 21:56:16 -06:00
b19a02470b
Add TestRiskScoreMismatch ( #2254 )
2022-08-25 14:29:46 -03:00
5a04aaf671
[Bug] Integrations-Pr Command (Elastic-Package Linting and Version Adjustments) ( #2054 )
...
* started solution for integrations-pr bug
* Update devtools.py
* Update detection_rules/devtools.py
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-08-24 14:01:30 -04:00
6ff7d2284d
Lock versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 ( #2261 )
...
* Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4
* adjusting version lock file to increase current version by 100
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co >
2022-08-24 13:26:35 -04:00
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
023fbc7bbd
[Rule Tuning] Clearing Windows Event Logs ( #2233 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-23 21:41:30 -03:00
dfef597794
[Rule Tuning] Suspicious Child Process of Adobe Acrobat Reader Update Service ( #2192 )
2022-08-23 10:10:40 -04:00
2204459e73
[Rule Tuning] Finder Sync Plugin Registered and Enabled ( #2172 )
2022-08-23 09:59:43 -04:00
2326b30a87
[Rule Tuning] Suspicious Browser Child Process ( #2138 )
2022-08-23 09:56:23 -04:00
c5ff8511a9
[Rule Tuning] Abnormal Process ID or Lock File Created ( #2113 )
...
* [Rule Tuning] Abnormal Process ID or Lock File Created
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update execution_abnormal_process_id_file_created.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-23 09:59:31 -03:00
6631c4927d
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #2240 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-23 09:43:09 -03:00
6e2d20362a
[Rule Tuning] Standardizing Risk Score according to Severity ( #2242 )
2022-08-21 22:29:39 -03:00
fbfe1e3530
set typing-inspect requirement to 0.7.1 ( #2248 )
2022-08-17 22:17:16 -04:00
d3420e3386
[Deprecate Rule] Suspicious Process from Conhost ( #2222 )
...
only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args).
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-16 16:32:24 +02:00
8e0ae64a04
[Rule Tuning] Whoami Process Activity ( #2224 )
...
* added Whoami Process Activity
* Update discovery_whoami_command_activity.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-16 16:26:10 +02:00
0f7b29918c
[Rule Tuning] Suspicious Execution via Scheduled Task ( #2235 )
...
Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue.
2022-08-15 21:50:23 +02:00
b89d6185b2
[Rule Tuning] Reduce FPs ( #2223 )
...
9 rules tuned to exclude common noisy FP patterns.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-08-15 09:15:48 -05:00
cb2ca45d56
Locked versions for releases: 7.16,8.0,8.1,8.2,8.3,8.4 ( #2236 )
...
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-10 09:18:59 -04:00
e7a1afbba0
only run on pull request ( #2237 )
2022-08-09 21:21:30 -04:00
2a3b584433
Prep for 8.5 branch ( #2220 )
...
* adding first commit
* renamed branch
* adjusted packages, stack schema and updated schemas
* updated integrations manifest
* adjusted comments to be a little more organized
* adjusted stack-schema-map
* refreshed ecs and beats schema, adjusted stack schema map accordingly
2022-08-09 17:14:42 -04:00
fc7a384d19
[Security Content] 8.4 - Add Investigation Guides - Windows - 2 ( #2144 )
...
* [Security Content] 8.4 - Add Investigation Guides - Windows - 2
* update date
* Apply suggestions from review
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-08-08 21:34:05 -03:00
89cdae87c5
only add related_integration if on the correct stack ( #2234 )
2022-08-08 18:41:56 -04:00
7d973a3b07
add new field related_integrations to the post build ( #2060 )
...
* add new field `related_integrations` to the post build
* add exception for endpoint `integration`
* Skip rules without related integrations
* lint
* refactor related_integrations to TOMLRuleContents class
* update to reflect required_fields updates
* add todo
* add new line for linting
* related_integrations updates, get_packaged_integrations returns list of dictionaries, started work on integrations py
* build_integrations_manifest command completed
* initial test completed for post-building related_integrations
* removed get_integration_manifest method from rule, removed global integrations path
* moved integration related methods to integrations.py and fixed flake issues
* adjustments for PipedQuery from eql sequence rules and packages with no integration
* adjusted github client import for integrations.py
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added integration manifest schema, made adjustments
* Update detection_rules/integrations.py
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* removed get_integrations_package to consolidate code
* removed type list return
* adjusted import flake errors
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted indentation error
* adjusted rule.get_packaged_integrations to account for kql.ast.OrExpr if event.dataset is not set
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/devtools.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted find_least_compatible_version in integrations.py
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fixed flake issues
* adjusted get_packaged_integrations
* iterate the ast for literal event.dataset values
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update detection_rules/integrations.py
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* made small adjustments to address errors during build manifests command
* addressing integrations.find_least_compatible method to return None instead of raise error only
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-08 13:44:36 -04:00
Isai