3ed8c56942
DR Linux Rule Tuning 8.9 ( #2859 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-07-10 20:02:42 +05:30
e5d6d6e4a7
[New Rule] sus cmds executed by unknown executable ( #2858 )
...
* [New Rule] sus cmds executed by unknown executable
* added an event.action filter
* Added endgame support, fixed stack version comment
* Update execution_suspicious_executable_running_system_commands.toml
* Update rules/linux/execution_suspicious_executable_running_system_commands.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_suspicious_executable_running_system_commands.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-06 17:32:56 +02:00
4e0b7427b7
[New Rules] ftp/rdp bruteforce ( #2910 )
...
* [New Rules] ftp/rdp bruteforce
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update non-ecs-schema.json
* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-06 17:16:01 +02:00
d5dee5a6c8
[New Rules] sysctl and modprobe enumeration ( #2844 )
...
* [New Rules] sysctl and modprobe enumeration
* Update discovery_linux_modprobe_enumeration.toml
* Update discovery_linux_sysctl_enumeration.toml
* reverted manifest/schema update
* updated tags
* Update discovery_linux_modprobe_enumeration.toml
2023-07-06 16:46:54 +02:00
64b3fa8d1d
[New Rule] Kernel Load/Unload via Kexec Detected ( #2846 )
...
* [New Rule] Kernel Load/Unload via Kexec
* Added additional references
* changed rule name
* changed the query to be more precise
* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* changed description based on feedback
* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-07-06 16:03:27 +02:00
646c316b66
[New Rules] Linux Reverse Shells ( #2905 )
...
* [New Rules] Linux Reverse Shells
* [New Rules] Linux Reverse Shells
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Delete UDP rule to add in separate PR
* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Deleted one rule and tuned the others
* Improved the rules' performance
* Added the reverse_tcp rule back after tuning
* Update execution_shell_via_lolbin_interpreter_linux.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-07-06 15:27:57 +02:00
78055bbeee
[New Rule] Suspicious Proc Enumeration ( #2845 )
...
* [New Rule] Suspicious Proc Enumeration
* Update rules/linux/discovery_suspicious_proc_enumeration.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/discovery_suspicious_proc_enumeration.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* fix tags
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-07-04 11:34:56 +02:00
7a1f376a34
[New Rules] Conversion of deprecated ERs over to DRs ( #2877 )
...
* [Conversion] Data Encrypted via OpenSSL
* [Conversion] sus funzip extraction/decompression
* [Conversion] LD_PRELOAD env var process injection
* fix unit testing failure
* suspecting endgame incompatibility
* fixed typo
* added LD_LIBRARY_PATH
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* Added exclusions for FPs
* Update rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_data_encrypted_via_openssl.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-07-02 10:39:44 +02:00
9794f8f0af
[New Rule] Postgresql Code Execution ( #2863 )
...
* [New Rule] Postgresql Code Execution
* Update rules/linux/execution_remote_code_execution_via_postgresql.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_remote_code_execution_via_postgresql.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 13:17:24 +02:00
aaa4ce2ea0
[BUG] test_all_rule_queries_optimized does not run on rules ( #2823 )
...
* Fixed kql -> kuery in test_all_rule_queries_opt...
* all queries optimized
* manually reconciled all rules that failed due to toml escaped chars
* merge rules from main
* Rules needing optimization
* Fix optimized note
* fix another note
* another note fix
* fixing whitespace
* Updated for readability
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 10:58:31 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
7c5f17e30c
[New Rules] User / Group Creation & Privileged Group Addition ( #2546 )
...
* [New Rules] user/group creation
* Update rules/linux/persistence_linux_group_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added backdoor user account
* added host.os.type == linux for unit testing fix
* unit testing fixes
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Added OSQuery to Investigation Guides
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guides to add in future PR
* Fixed some issues with the rules
* fixed typo
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_group_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-22 15:15:48 +02:00
71186c8788
[Rule Tuning] Potential Persistence Through Run Control Detected ( #2857 )
...
* [Rule Tuning] changed rule type to new_terms
* Updated min stack comment
* Update persistence_rc_script_creation.toml
* Changed description, removed file.path from new_terms field because it is not necessary
* added host.id to new terms field and bumped up min stack
2023-06-22 13:39:36 +02:00
7d64dc2a87
[Rule tunings / New Rule] Kernel Unload and Enumeration ( #2838 )
...
* [Rule Tunings] Kernel Module Enumeration / Removal
* [Rule Tunings] Kernel Module Enumeration and Removal
* Deleted copy of wrong file
* EQL Conversion and made the rule more resilient
* Converted rules to EQL and made rules more resilient
* Removed unwanted rule from PR
* fixed unit tests
* fixed unit testing, removed endgame support
* Added a rule to detect kernel module enum via proc
* Did some additional tuning, 0 hits in RedSector now
2023-06-22 10:11:52 +02:00
dc05f1d8f3
[New Rule] Sus Network Activity from Unknown Executable ( #2856 )
...
* [New Rule] Sus Network Activity from Unknown Executable
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added endgame support, changed min stack comment
* Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-14 23:27:29 +02:00
b4a218ed1c
[New Rule] Shared Object Created ( #2848 )
...
* [New Rule] Shared Object Created or Changed
* Removed sub technique
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* changed description slightly
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_shared_object_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added T1574.006
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-13 22:51:07 +02:00
4f9f28c370
[New Rules] Cron Job / Systemd Service Creation ( #2847 )
...
* [New Rules] Cron Job/Systemd Service Creation
* Added execution to tags
* Added additional EndGame Support
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-13 09:44:44 +02:00
644d2f5b26
[New Rule] New Systemd Timer Created ( #2601 )
...
* [New Rule] New Systemd Timer Created
* improve query runtime performance
* added process.name entries for alert reduction
* attempt to fix gh unit testing failure
* added host.os.type==linux to fix unit test error
* Added OSQuery to investigation guides
* added additional process names
* removed investigation guides to add in future PR
* removed investigation guide tag
* Changed rule to new_terms rule to reduce FPs
* fixed query
* formatting fix
* Learnt another thing about KQL.. Formatting fix.
* unit test fix
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-06-13 09:15:47 +02:00
05aac4f371
[Security Content] Add Investigation Guides to Windows rules ( #2678 )
...
* [Security Content] Add Investigation Guides to Windows rules
* Update privilege_escalation_service_control_spawned_script_int.toml
* Update execution_reverse_shell_via_named_pipe.toml
* Apply suggestions from code review
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update execution_command_prompt_connecting_to_the_internet.toml
---------
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-05-26 10:25:41 -03:00
0d5e25e896
[Rule Tuning] Interactive Terminal Spawned via Python ( #2781 )
...
* [Rule Tuning] Interactive Terminal Spawned via Python
* Update execution_python_tty_shell.toml
* Update execution_python_tty_shell.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-05-26 10:19:35 -03:00
54c5c17aa3
[Rule Tuning & Addition] Potential Linux SSH Brute Force ( #2583 )
...
* [Rule tuning & Addition] SSH Bruteforce
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed rule_id change, added additional cidr match
* added host.os.type==linux
* Update credential_access_potential_linux_ssh_bruteforce_internal.toml
* Formatting style change
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Added related rules suggestion
* Added related rule suggestion
* added additional internal ip ranges
* added additional internal ip ranges
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-05-25 12:00:44 +02:00
9ebffb44ff
[New Rules] Ransomware Encryption & Note Creation ( #2652 )
...
* [New Rules] Ransomware Encryption & Note Creation
* changed description
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-16 11:30:00 +02:00
1293365a7f
Rule to detect Potential Linux Credential Dumping via Proc Filesystem ( #2751 )
2023-05-05 22:23:15 +05:30
26258f806a
[New Rules] Persistence through MOTD ( #2608 )
...
* [New Rules] Persistence through MOTD
* fixed unit error test by adding timestamp_override
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added host.os.type == "linux"
* removed ability to bypass chmod by using e.g. 700
* Added endgame support, changed query
* Changed query
* updated risk_score
* added OSQuery to investigation guides
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guides to add in future PR
* removed investigation guide tag
* Changed rule to new terms rule for FP reduction
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-05 10:29:15 +02:00
1aea1ee9bb
[New rule] Sus File Creation in init.d for Persistence Detected ( #2653 )
...
* [New Rule] Init.d File and Service Creation
* Changed rule name
* [New Rule] Sus File Creation init.d Persistence
* Added Endgame compatibility
* added touch
* Added OSQuery to investigation guide
* added additional processes
* removed investigation guide to add in sep PR
* changed rule name
* removed investigation guide tag
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_init_d_file_creation.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-05 09:54:42 +02:00
09719dd0c5
[Rule Tuning] Potential Shell via Web Server ( #2585 )
...
* tuned web shell logic, and converted to EQL
* Removed old, created new rule to bypass "type" bug
* Revert "Removed old, created new rule to bypass "type" bug"
This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133.
* Revert "tuned web shell logic, and converted to EQL"
This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca.
* Deprecated old rule, added new
* formatting fix
* removed endgame index
* Fixed changes captured as edited, not created
* Update rules/linux/persistence_shell_activity_through_web_server.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* fix conflict
* added host.os.type==linux for unit testing
* removed wildcards in process.args
* Update rules/linux/persistence_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* fixed conflict by changing file name and changes
* Trying to resolve the GH conflict
* attempt to fix GH conflict #2
* Update persistence_shell_activity_by_web_server.toml
* Added endgame support
* Added OSQuery to investigation guide
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guide to add in future PR
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-05-05 09:47:49 +02:00
855ba16299
Linux Rule Tuning ( #2753 )
2023-05-02 19:12:13 +05:30
cd5bc2c44b
Update file path regex for /run ( #2749 )
2023-04-26 14:02:16 +05:30
0107e0fcaa
Detect Threat indicators for VMware ESXi servers ( #2708 )
2023-04-25 20:17:16 +05:30
2996c79ff4
Detect Mount Execution With Hidepid Parameter ( #2706 )
2023-04-22 08:00:30 +05:30
2705df81e2
Tune Shell evasion Rule to incorporate GTFOArgs shell evasion ( #2687 )
2023-04-20 18:35:18 +05:30
f7aa477536
Correct Event Action to include endgame event schema ( #2610 )
2023-04-20 17:28:01 +05:30
94baa89ea8
New Rule to identify defense evasion via PRoot ( #2625 )
2023-04-20 17:14:01 +05:30
0d1fca454a
New Rule: Suspicious Mining Process Creation Event ( #2531 )
...
* New Rule: Suspicious Mining Process Creation Event
* added host.os.type==linux
* trying to fix unit testing
* Revert "trying to fix unit testing"
This reverts commit ab3f371300fa400baa287b54e5f38b4855fc6512.
* unit testing fix attempt
* Revert "unit testing fix attempt"
This reverts commit 8b59343a5923a004423cf665b167611ef0129a9d.
* added endgame support
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-21 16:35:25 +01:00
eab30d7456
[Rule Tuning] Namespace Manipulation Using Unshare ( #2599 )
...
* [Rule Tuning] Namespace Manipulation Using Unshare
* reverted updated_date change
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-20 07:36:47 -03:00
672211500c
[Rule Fix] Privileged SSH Brute Force Detected ( #2595 )
2023-03-14 15:42:58 -04:00
f52a744259
[New Rule] RC Script Creation ( #2607 )
...
* [New Rule] RC Script Creation
* fixed unit testing error
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.os.type==linux
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-14 15:03:41 -04:00
1a5bc7e924
[Rule Tuning] Abnormal PID or Lock File Created ( #2600 )
2023-03-14 14:37:00 -04:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
5f83433ecb
New Rule to identify potential linux credential dumping ( #2604 )
2023-03-01 21:00:02 +05:30
539cd945a9
New Rule to identify iptables or firewall disabling. ( #2591 )
2023-03-01 17:14:45 +05:30
66359012c3
[Rule Tuning] Potential Shadow File Read via CLI ( #2594 )
2023-02-28 18:26:38 +01:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
8e02c60ef6
[Rule Tuning] Enclose Rule Conditions within Parenthesis ( #2486 )
2023-01-31 16:56:19 -03:00
e737b4eb7c
[Tuning] added T1021.006 and T1563.001 ( #2497 )
...
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update credential_access_potential_linux_ssh_bruteforce_root.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
2023-01-27 19:51:22 +00:00
77c8665f11
[Rule Tuning] Add endgame support for Linux Rules ( #2436 )
...
* [Rule Tuning] Add endgame support for Linux Rules
* [Rule Tuning] Add endgame support for Linux Rules
* .
* Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
896a25bc0f
Refactor file path name ( #2452 )
2023-01-05 22:10:55 +05:30
shashank-elastic