98fe04217b
[Security Content] Add Windows Investigation Guides ( #3095 )
...
* [Security Content] Add Windows Investigation Guides
* Update defense_evasion_rundll32_no_arguments.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update rules/windows/defense_evasion_rundll32_no_arguments.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/execution_ms_office_written_file.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update privilege_escalation_posh_token_impersonation.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
(cherry picked from commit eb7c5f6717
2023-12-08 14:36:22 +00:00
ab0c5154a2
[New Rule] Suspicious File Creation via Kworker ( #3237 )
...
* [New Rule] Suspicious File Creation via Kworker
* Update rules/linux/persistence_kworker_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 840958d117
2023-12-07 22:06:53 +00:00
2e585eab84
[New Rule] Out-Of-Tree Kernel Module Load ( #3233 )
...
* [New Rule] Out-Of-Tree Kernel Module Load
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 490fa0e1d2
2023-12-07 21:58:26 +00:00
84240c082e
[New BBR] Pot. Persistence Through Systemd-udevd ( #3235 )
...
* [New BBR] Persistence Through Systemd-udevd
* Formatting change
* Update rules_building_block/persistence_udev_rule_creation.toml
* Update rules_building_block/persistence_udev_rule_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/persistence_udev_rule_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 07b1cab919
2023-12-07 21:47:32 +00:00
07c235988f
[New Rule] UID Elevation from Unknown Executable ( #3239 )
...
* [New Rule] UID Elevation from Unknown Executable
* type change
* bump min stack
* Added additional exclusions
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 9c61231dc6
2023-12-07 21:30:05 +00:00
39c81d157b
[New Rule] Suspicious Kworker UID Elevation ( #3238 )
...
* [New Rule] Suspicious Kworker UID Elevation
* Update privilege_escalation_kworker_uid_elevation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 1071b12f00
2023-12-07 20:04:07 +00:00
315e5e9bca
[New] Rare SMB Connection to the Internet ( #3300 )
...
* Create exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 7070eb3b34
2023-12-07 16:15:40 +00:00
67449e26a5
[Rule Tuning] UEBA new_terms process_executable ( #3268 )
...
* [Rule Tuning] UEBA new_terms process_executable
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 1647a16fab
2023-12-07 15:43:09 +00:00
6c28ba53ad
[Tuning] Small Linux DR Tuning ( #3287 )
...
(cherry picked from commit 38862b89e9
2023-12-07 11:50:11 +00:00
1ae2cdeca5
[New] Process Created with a Duplicated Token ( #3152 )
...
* [New] Process Created with a Duplicated Token
using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 7488c60090
2023-12-07 11:25:37 +00:00
3d40a09531
Fix syntax error in query ( #3285 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a4ad0b6a24
2023-12-07 10:54:00 +00:00
f128070ae5
[Rule Tuning] Multiple Users with the Same Okta Device Token Hash ( #3304 )
...
* tuning rule; adding investigation guide
* updated MITRE ATT&CK
* updated file name
* Updating description
* updated investigation guide
* fixed ATT&CK mappings; updated tags
(cherry picked from commit 5e1546c57c
2023-12-06 15:41:15 +00:00
8e6a01e9ee
[Rule Tuning] Windows DR Tuning - 5 ( #3229 )
...
* [Rule Tuning] Windows DR Tuning - 5
* .
* Revert changes BehaviorOnFailedVerify
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit e5d676797e
2023-12-05 22:25:53 +00:00
f931ba4ef6
[New] Interactive Logon by an Unusual Process ( #3299 )
...
* Create privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
(cherry picked from commit e6df245ff3
2023-12-05 17:39:36 +00:00
7df6661596
Adjust ESQLRuleData to Inherit QueryRuleData Dataclass ( #3297 )
...
* adjusting inheritance of ESQL rule data
* update tests to handle missing index from QueryRuleData
* removed test es|ql rule
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 5358361754
2023-11-30 14:12:26 +00:00
5bceaa3e01
Update QueryRuleData ( #3294 )
...
(cherry picked from commit f7b9a1f8df
2023-11-29 15:48:08 +00:00
53c4ff1fdc
FR] Add Core Support for ES|QL Rule Type ( #3292 )
...
(cherry picked from commit bc39c20eaf
2023-11-28 19:08:40 +00:00
1d05f49436
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 ( #3291 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit ba7b2722c2
2023-11-28 17:35:57 +00:00
7a383770bc
[New Rule] Okta FastPass Phishing ( #2782 )
...
* Create initial_access_fastpass_phishing.toml
* Rename initial_access_fastpass_phishing.toml to initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
* Update rules/integrations/okta/initial_access_okta_fastpass_phishing.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 1f47e3c1a9
2023-11-28 14:31:33 +00:00
e1e8b12f26
[New Rule] Okta MFA Bombing Attempt ( #3278 )
...
* new rule 'Potential Okta MFA Bombing via Push Notifications'
* updated naming
* TOML lint
* adjusted duplicate rule ID
* added event category override; added until sequence statement
* added verify authentication success
* moved setup to separate field
* enhanced query optimization
(cherry picked from commit e6fef85899
2023-11-28 14:21:18 +00:00
23ef78cb60
[New Rule] Adding Detection for Multiple Okta Users with the Same Device Token Hash ( #3267 )
...
* added new rule 'Multiple Okta Users with the Same Device Token Hash'
* moved rule to okta integration folder
* adjusted query to be optimized
* added false positive comment
* Update rules/integrations/okta/initial_access_multiple_active_users_from_single_device.toml
(cherry picked from commit 69cb2f6fc6
2023-11-28 00:28:48 +00:00
c8e4d378ff
[New Rule] Threshold Detections for Okta User Sessions and Client Addresses ( #3263 )
...
* new Okta threshold rules for client addresses and sessions
* adjusting references
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/initial_access_multiple_client_addresses_with_single_okta_session.toml
* Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0578bd4caa
2023-11-28 00:07:58 +00:00
fdeeb7bc67
[New Rule] Detection for Okta Sign-In Events via Third-Party IdP ( #3259 )
...
* adding new rule 'Okta Sign-In Events via Third-Party IdP'
* fix creation date
* fixed query efficiency
* added investigation guide
* Update rules/integrations/okta/initial_access_sign_in_events_via_third_party_idp.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8eeb95f545
2023-11-27 23:36:25 +00:00
4d5b8c6f2d
adding new rule 'New Okta Identity Provider (IdP) Added by Admin' ( #3258 )
...
(cherry picked from commit 73288af642
2023-11-27 23:11:58 +00:00
3808d01776
[New Rule] Adding Detection for First Occurrence of Okta User Session Started via Proxy ( #3261 )
...
* new rule 'First Occurrence of Okta User Session Started via Proxy'
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
* Update rules/integrations/okta/initial_access_first_occurrence_user_session_started_via_proxy.toml
(cherry picked from commit 8321cfe018
2023-11-27 22:55:16 +00:00
a6b6f9279f
[New Rule] Adding Detection for New Okta Authentication Behavior ( #3260 )
...
* new rule 'New Okta Authentication Behavior Detected'
* Update rules/integrations/okta/initial_access_new_authentication_behavior_detection.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f19506f3a2
2023-11-27 22:44:18 +00:00
d171b9a442
[New] First Time Seen NewCredentials Lgon Process ( #3276 )
...
* Create privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 88f752bf8b
2023-11-27 18:42:41 +00:00
0c9509d093
Setup Guide information for MacOS rules ( #3274 )
...
(cherry picked from commit 7854081cc0
2023-11-22 14:53:34 +00:00
4e5ad462c3
[New Rule] Adding Detection Logic for Okta User Sessions Started from Different Geolocations ( #3279 )
...
* new rule 'Okta User Sessions Started from Different Geolocations'
* Update rules/integrations/okta/initial_access_okta_user_sessions_started_from_different_geolocations.toml
(cherry picked from commit 832ee02aed
2023-11-21 22:37:18 +00:00
61bbcfec52
Add UEBA Tag ( #3277 )
...
(cherry picked from commit 93ad4b0959
2023-11-20 19:56:28 +00:00
dd49bcc535
[Bug] Fix typo in downgrade_contents_from_rule ( #3272 )
...
* Fix missing to_dict()
* Update pyproject.toml
(cherry picked from commit 66c1d7f3b4
2023-11-15 04:11:25 +00:00
337f11fa7c
[Rule Tuning] Fix Menasec Expired Links ( #3271 )
...
(cherry picked from commit f53f46efd5
2023-11-14 13:24:35 +00:00
b342660c3a
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11 ( #3270 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 9195eedb9c
2023-11-13 19:51:15 +00:00
8fee26a296
Enhance Setup Guide information ( #3256 )
...
(cherry picked from commit d52546eee5
2023-11-03 13:42:18 +00:00
96f7803431
[Bug] Add Integration Schema Validation to NewTermsRuleData.validate Method ( #3227 )
...
* adjusted validation method to include integration schema checks
* fixed linting errors
* re-factored NewTermsRuleData and added unit testing
(cherry picked from commit 829f5ea885
2023-11-02 20:58:10 +00:00
73c239557b
[New BBR] Segfault Detected ( #3240 )
...
* [New BBR] Segfault Detected
* Update rules_building_block/execution_linux_segfault.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules_building_block/execution_linux_segfault.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit dff4633dd4
2023-11-02 08:47:06 +00:00
396bfc5bec
[New BBR] Kernel Driver Load ( #3236 )
...
* [New BBR] Kernel Driver Load
* added event.dataset to the query
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 967f6a4c89
2023-11-02 08:39:10 +00:00
4c6fc3496c
[FR] Adjust Prebuilt Rules Packaging to Use Elastic Package v3 ( #3252 )
...
* Adding support for elastic package version 3
* replaced OS with Pathlib where applicable
* added sub-dataclasses for V3
* fixed flake errors
* adjusted registry dataclasses to inherit base
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit cdeb398ab3
2023-11-01 16:54:01 +00:00
8415bedf0f
[FR] Support missing events ( #3153 )
...
(cherry picked from commit d0b0216362
2023-10-31 21:27:08 +00:00
b9e6c13e93
Pin python packages ( #3249 )
...
(cherry picked from commit 5722257119
2023-10-30 18:00:13 +00:00
c13ba83a91
Setup information for Linux Rules - Set8 ( #3200 )
...
(cherry picked from commit 5c5d1b214b
2023-10-30 15:35:24 +00:00
9191b3e9f1
[New Rule] Adding Beaconing Rules from Advanced Analytic Beaconing Package ( #3128 )
...
* Adding beaconing rules
* Update rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Update rules/integrations/beaconing/command_and_control_beaconing.toml
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
* Updating min stack version
* added beaconing to manifests and schemas; updated rules
---------
Co-authored-by: Kirti Sodhi <109447885+sodhikirti07@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a4f9cf4616
2023-10-30 14:12:37 +00:00
4bde69f1ad
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
...
(cherry picked from commit a568c56bc1
2023-10-30 11:29:26 +00:00
c16adb4f98
[Rule Tuning] Tainted Kernel Module Load ( #3234 )
...
* [Rule Tuning] Tainted kernel module load
* Update persistence_tainted_kernel_module_load.toml
* Update rules_building_block/persistence_tainted_kernel_module_load.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ad25c922fd
2023-10-30 08:55:51 +00:00
9bda5bd276
[New Rule] Attempt to Clear Kernel Ring Buffer ( #3217 )
...
* [New Rule] Attempt to Clear Kernel Ring Buffer
* Update defense_evasion_clear_kernel_ring_buffer.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 618a1dbe06
2023-10-30 08:43:33 +00:00
e4e00ae8e1
[Tuning] Access to Stored Browser Credentials ( #3066 )
...
* Exclude FPs
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 6400bb3237
2023-10-27 20:16:11 +00:00
2e0afa9aa9
[Rule Tuning] Review and Tune Potential Malicious File Downloaded from Google Drive ( #3197 )
...
* added tuning to remove signed binaries and benign processes
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit e7db39a492
2023-10-27 18:19:14 +00:00
7d5204162e
[Rule Tuning] Windows DR Tuning - 4 ( #3214 )
...
* [Rule Tuning] Windows DR Tuning - 4
* Update credential_access_remote_sam_secretsdump.toml
(cherry picked from commit 1133b3a8a9
2023-10-27 00:05:45 +00:00
55661b1239
Cleanup saved_query references ( #3205 )
...
(cherry picked from commit a808130390
2023-10-26 23:13:57 +00:00
58b00a9996
[Rule Tuning] Windows DR Tuning - 3 ( #3212 )
...
* [Rule Tuning] Windows DR Tuning - 3
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_moving_registry_hive_via_smb.toml
(cherry picked from commit 3d73427e29
2023-10-26 22:05:25 +00:00
Jonhnathan