9e781091cd
Changing naming terminology ( #1671 )
...
(cherry picked from commit 0bdb6dec2f
2021-12-16 19:21:36 +00:00
0386728a6a
[New Rule] PowerShell Suspicious Script with Screenshot Capabilities ( #1581 )
...
* Create collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update rules/windows/collection_posh_screen_grabber.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update query condition
* lint
* Update execution_python_tty_shell.toml
* Revert "Update execution_python_tty_shell.toml"
This reverts commit d2d72ea5726415caca8786d59446b6dd60dcee54.
* Update collection_posh_screen_grabber.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 899642dd78
2021-12-14 22:32:39 +00:00
1b123098a3
[New Rules] PowerShell Suspicious Payload Encoded and Compressed ( #1580 )
...
* Create defense_evasion_posh_compressed.toml
* Update defense_evasion_posh_compressed.toml
* Add GzipStream, cover common variations withou using wildcard
* Update defense_evasion_posh_compressed.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add false_positives
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f2a28e49fb
2021-12-14 22:27:06 +00:00
56dc73f7fa
[Rule Tuning] Bump max_signals on Endgame Promotion Rules ( #1662 )
...
* bump endgame max_signals to 10000
* bump updated_date
(cherry picked from commit 9cc342dab7
2021-12-14 14:54:18 +00:00
c44d51675d
[Rule tuning] fix name for GCP Kubernetes Rolebindings Created or Patched ( #1661 )
...
(cherry picked from commit 9a60d7a26a
2021-12-13 18:02:03 +00:00
634dafa8b9
Lock versions for releases: 7.13,7.14,7.15,7.16 ( #1659 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16
(cherry picked from commit a33de6bfb8
2021-12-11 04:08:06 +00:00
6b0717c258
[New Rule] Potential JAVA/JNDI Exploitation Attempt ( #1658 )
...
* [New Rule] Potential JAVA/JNDI Exploitation Attempt
Identifies an outbound network connection by JAVA to LDAP, RMI or DNS standard ports followed by a suspicious JAVA child processes. This may indicate an attempt to exploit a JAVA/DNI injection vulnerability.
* rule ID
* expanded JAVA/DNI to Java Naming and Directory Interface
* added ruby and php to list of suspchildprocs
* Update execution_suspicious_java_netcon_childproc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7978b3cc9e
2021-12-11 01:08:29 +00:00
0dcd5e82c8
[Rule Tuning] Suspicious JAR Child Process ( #1657 )
...
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
(cherry picked from commit 410d4e5929
2021-12-11 01:06:29 +00:00
8d0275fe03
[New Rule] PowerShell Reflection Assembly Load ( #1559 )
...
* Create defense_evasion_posh_assembly_load.toml
* Update defense_evasion_posh_assembly_load.toml
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Change event.code to event.category
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d4e06beee6
2021-12-08 21:01:25 +00:00
3f6c9ac2bd
[Rule Tuning] Powershell Defender Exclusion ( #1644 )
...
* Split process.args condition
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit ee548328d5
2021-12-08 14:53:33 +00:00
1056bc516f
[New Rule] Enumeration of Privileged Local Groups Membership ( #1557 )
...
* [New Rule] Enumeration of Privileged Local Groups Membership
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
* removed endpoint index (not needed)
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b85818f49c
2021-12-08 10:25:38 +00:00
75b8fc94fd
[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation ( #1544 )
...
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_via_rogue_named_pipe.toml
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 434e2d0426
2021-12-08 10:23:08 +00:00
1370ce26fa
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot ( #1632 )
...
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot
Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).
* adding extra ref url
(cherry picked from commit e3b76b7cf7
2021-12-08 10:18:18 +00:00
857ec6ba94
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules ( #1620 )
...
* Replaces event.code with event.category
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 851c566730
2021-12-08 06:34:37 +00:00
8182d73800
Add issue to min_stack_comment ( #1652 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b7b5449033
2021-12-08 00:54:32 +00:00
a8919b9070
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
...
(cherry picked from commit 14c46f50b9
2021-12-08 00:45:10 +00:00
0b5cae5e2c
Updates Host Risk Score documentation ( #1643 )
...
* update host-risk-score.md
* Update docs/experimental-machine-learning/host-risk-score.md
Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com >
Co-authored-by: Ryland Herrick <ryalnd@gmail.com >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
(cherry picked from commit 0935a853fb
2021-12-08 00:07:43 +00:00
f37235581c
Add min_stack and indexes back ( #1648 )
...
(cherry picked from commit c21337fe4f
2021-12-07 13:02:54 +00:00
396cee32f1
[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL ( #1651 )
...
* Update command_and_control_download_rar_powershell_from_internet.toml
* bump updated_date
(cherry picked from commit 7b0383ffe2
2021-12-07 12:11:11 +00:00
e37fc97c57
Limit index to logs-endpoint.events ( #1647 )
...
(cherry picked from commit f6a2437cf8
2021-12-06 16:47:17 +00:00
2ecbc87fed
Adding Beaconing docs ( #1621 )
...
* Adding beaconing docs
* Adding a call out about import options
* Adding a note about the AD job
* Adding more clarity on the release bundle
* Update beaconing.md
* Update docs/experimental-machine-learning/beaconing.md
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 237dcd2e19
2021-12-01 16:46:48 +00:00
d1fe62d903
[New Rule] Suspicious Process Creation CallTrace ( #1588 )
...
* [New Rule] Suspicious Process Creation CallTrace
* Update non-ecs-schema.json
* added min stack vers
* min_stack_vers not needed
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d43e3d8e4e
2021-11-30 20:37:41 +00:00
d1e73cb0c3
Updating host risk score and experimental detections docs ( #1639 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d061bf8e7c
2021-11-30 19:26:54 +00:00
d098c58d27
[Rule Tuning] Support ECS 1.11 field for IM rule ( #1560 )
...
* Support ecs field for IM rule
* update time interval
* Change additional lookback to 5 minutes
* Add old rule
* Add newline
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Remove im legacy rule
* Udpdate name and description
* Remove min_stack_comment
* Keep 2 IM rule
* add min_stack_comments to rule
* Update rules/cross-platform/threat_intel_indicator_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adds new rules
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ece Özalp <ozale272@newschool.edu >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
(cherry picked from commit c619844b0d
2021-11-30 18:27:52 +00:00
423145dae7
[New Rule] Azure Kubernetes Rolebindings Created ( #1576 )
...
* Create azure_kubernetes_rolebinding_created_or_deleted.toml
* Update
* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 521f0987ae
2021-11-29 12:18:02 +00:00
c49501c4cc
[New Rule] Clearing Windows Console History ( #1623 )
...
* Create defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* bump severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 13fc69b70a
2021-11-25 16:27:24 +00:00
5572d8669e
[New Rule] Windows Firewall Disabled ( #1565 )
...
* Create defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 2ac19440c2
2021-11-24 21:36:02 +00:00
7f59fbb235
[Rule Tuning] Component Object Model Hijacking ( #1491 )
...
* Update persistence_suspicious_com_hijack_registry.toml
Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.
* Update updated_date
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dd3e924e4a
2021-11-24 11:59:49 +00:00
3e5ed57546
[New Rule] Potential Credential Access via Renamed COM+ Services DLL ( #1569 )
...
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL
* update dates
* adding config note
* relinted
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update minstack version
* minstack not needed, rule should work on previous versions
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d1636258e4
2021-11-18 09:30:02 +00:00
97bb3d5bc4
[New Rule] Account Password Reset Remotely ( #1571 )
...
* [New Rule] Account Password Reset Remotely
* Update non-ecs-schema.json
* udpate ruleId
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 53a17e6b06
2021-11-18 09:28:05 +00:00
ffcca8239e
[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed ( #1579 )
...
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3dd32608a0
2021-11-17 22:40:16 +00:00
3f3328a630
[New Rule] PowerShell Keylogging Script ( #1561 )
...
* Create collection_posh_keylogger.toml
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix missing OR
* Change dup guid
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 4b6794df32
2021-11-17 22:39:05 +00:00
c6068391a1
[Rule Tuning] Suspicious CertUtil Commands ( #1564 )
...
(cherry picked from commit ab521f7c4f
2021-11-17 20:43:07 +00:00
0e20e08eef
[New Rule] Potential Process Injection via PowerShell ( #1552 )
...
* Create defense_evasion_posh_process_injection.toml
* Update defense_evasion_posh_process_injection.toml
* Update description
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9c54e21820
2021-11-17 10:35:29 +00:00
33f13e25be
[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot ( #1550 )
...
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
* lint
* Update etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* moved FP txt to Note.
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fix json
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit e99478db00
2021-11-17 07:47:39 +00:00
2e067562f1
[New Rule] Potential Credential Access via LSASS Memory Dump ( #1533 )
...
* [New Rule] Potential Credential Access via LSASS Memory Dump
* Update credential_access_suspicious_lsass_access_memdump.toml
* fix typo in calltrace and event.code type
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_suspicious_lsass_access_memdump.toml
* added TargetImage to non ecs schema
* Update non-ecs-schema.json
* format
* Update credential_access_suspicious_lsass_access_memdump.toml
* Update credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit c18c08a976
2021-11-17 07:38:39 +00:00
a06dc65acd
Lock versions for releases: 7.13,7.14,7.15,7.16 ( #1619 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16
(cherry picked from commit f0f3b83eab
2021-11-16 09:33:36 +00:00
a50bd1ae15
[bug] Current stack version in deprecation lock missing parens ( #1618 )
...
The function was not being properly called, leading to `null` values
(cherry picked from commit bd9e33e761
2021-11-16 09:20:32 +00:00
e9736b21c9
Fix kibana-pr command ( #1616 )
...
(cherry picked from commit 76503e8bcd
2021-11-16 08:56:57 +00:00
f306ff195a
Update registry release from beta to ga
2021-11-15 21:48:07 -09:00
271d460d7f
[New Rule] PowerShell Suspicious Script with Audio Capture Capabilities ( #1582 )
...
(cherry picked from commit 858d1cf12c
2021-11-16 06:21:37 +00:00
4a0f780d0b
Bump min_stack_version in version.lock for specific rules ( #1614 )
...
(cherry picked from commit d78f6354df
2021-11-15 23:40:19 +00:00
1e2ede92a1
Test to trigger workflows ( #1612 )
...
(cherry picked from commit 59ba8e1540
2021-11-15 19:04:37 +00:00
d0ec0f0297
Prepare for creation of 7.16 release branch ( #1611 )
...
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit 95d7e9b6f5
2021-11-15 18:41:47 +00:00
0efae3a52e
Move version lock code to object for portability ( #1553 )
...
* Move version lock code to object for portability
* use cached_property to bypass frozen dataclass and set property
* replace load_versions function
2021-11-15 08:46:12 -09:00
81a62f5f68
[New Rule] Suspicious Process Access via Direct System Call ( #1536 )
...
* [New Rule] Suspicious Process Access via Direct System Call
* updated query to catch also CallTrace with non ntdll modules
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-11-15 10:18:26 +01:00
5e6a58ebab
Add index as a required field to rule_prompt ( #1595 )
2021-11-14 17:05:42 -09:00
017d9a51b7
[Rule Tuning] Rename extrac.exe to extrac32.exe ( #1601 )
2021-11-14 17:01:13 -09:00
aa219710a1
Fix Windows path causing emoji to be rendered in Kibana ( #1585 )
...
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.
Surrounding the path in backticks fixes it.
2021-11-03 11:01:25 -05:00
e29a1ca25c
Create host-risk-score.md ( #1599 )
...
update the script name to match shipped artifact
2021-11-03 11:05:59 +03:00
Apoorva Joshi