a645bc7bbb
awk binary shell evasion threat ( #1794 )
...
* new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat
* Update rules/linux/awk_binary_shell_evasion.toml
* Update rules/linux/awk_binary_shell_evasion.toml
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* new:rule:issue-1785 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* Update rules/linux/privilege_escalation_awk_binary_shell.toml
* new:rule:issue-1785 Review Comments
* new:rule:issue-1785 Review Comments
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit e004a2f4a5
2022-03-02 16:26:37 +00:00
56997556f5
env binary shell evasion threat ( #1793 )
...
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* new:rule:issue-1786 Adding a new Rule for env binary shell evasion threat
* Update rules/linux/env_binary_shell_evasion.toml
* Update rules/linux/env_binary_shell_evasion.toml
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* new:rule:issue-1786 Adding Mittre Attack Techniques
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_env_binary.toml
* Update rules/linux/privilege_escalation_env_binary.toml
* new:rule:issue-1786 Review Comments
* Update rules/linux/defense_evasion_env_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 758784d4d5
2022-03-02 16:19:45 +00:00
36369ebf96
[New Rule] Registry Hive File Creation via SMB ( #1779 )
...
* [New Rule] Registry Hive File Creation via SMB
Identifies the creation or modification of a medium size registry hive file via the SMB protocol :
* Update credential_access_moving_registry_hive_via_smb.toml
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f48144c6b3
2022-03-02 09:14:52 +00:00
31f75bd7e6
Update impact_azure_service_principal_credentials_added.toml ( #1802 )
...
(cherry picked from commit 8a9b52f7e1
2022-03-02 08:38:49 +00:00
73b3bec457
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1c50f35aed
2022-03-02 00:41:56 +00:00
fe36cc331c
Updating Host Risk Score docs ( #1716 )
...
* Updating host risk score docs
* Small update
* Add host risk documentation for Kibana 8.1 features
* Update host-risk-score.md
* Rearranging some stuff
* Improve host risk SS
* Adding stack version info where applicable
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
* Update host-risk-score.md
Add host by risk table note
* Update host-risk-score.md
Co-authored-by: Pablo Neves Machado <pablo.nevesmachado@elastic.co >
(cherry picked from commit 0122e1e65f
2022-02-28 23:21:50 +00:00
4397244f73
Refresh ATT&CK to v10.1 ( #1791 )
...
(cherry picked from commit a5eb02ac28
2022-02-25 01:40:49 +00:00
ca5f2d4018
Ensure github module is installed before running PR commands ( #1777 )
...
* Ensure github module is installed before running PR commands
* move go and elastic-package assertions to top of command
* update error msg for missing pkg
* remove redundant github assertion
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit d373db7659
2022-02-24 23:51:24 +00:00
aab23636e8
[New Rule] LSASS Memory Dump ( #1784 )
...
* Add new event_data fields (ObjectName, ProcessName)
* Add detection for LSASS Memory Dump Handle Access
* Reference an example of 120089 AccessMask presence
* modify query to increase performance and update the description to remove ("This rule").
* expand path to Elastic Agent ensure syntax consistency
* Optimize rule based on AccessMaskDescription and additional False Positives.
* add AccessMaskDescription keyword and rule tune to make sure AccessMask is used
* filter dllhost.exe and or the condition between AccessMask and AccessMaskDescription
* cleanup
(cherry picked from commit aa7d79cc53
2022-02-24 13:16:42 +00:00
775779c756
[Bug] Fix toml-lint ordering of Mitre metadata #1249 ( #1774 )
...
* Order the MITRE metadata by recursively sorting the rule object before writing.
* Refactor order_rule into the rule_formatter module.
* sort test_toml.json according to rule_formatter spec
* rename var to obj since this will traverse all data in the rule
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 0aeb7399d4
2022-02-22 19:00:16 +00:00
99c559f870
Update persistence_azure_conditional_access_policy_modified.toml ( #1788 )
...
(cherry picked from commit 8664ef59f4
2022-02-22 18:29:00 +00:00
76f3ff1074
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 ( #1781 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1
(cherry picked from commit 5e073af69d
2022-02-16 17:27:58 +00:00
678f7cb93c
[Rule Tuning] Update rules based on docs review ( #1778 )
...
* Update rules based on docs review
* trivial change to trigger CLA
* undo changes from triggering build
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit dec4243db0
2022-02-16 16:44:51 +00:00
f571eb970d
[Rule Tuning] Remove Windows Integration & Winlogbeat Support - User.id ( #1773 )
...
* Remove Windows Integration & Winlogbeat Support
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3227d65cd8
2022-02-16 02:07:27 +00:00
cd59ed785a
[Rule Tuning] Potential Command and Control via Internet Explorer ( #1771 )
...
* Use user.name on the sequence instead of user.id
* Update command_and_control_iexplore_via_com.toml
* Remove min_stack and comment "with runs"
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 03f60cc11c
2022-02-16 02:00:28 +00:00
ef78093d88
[New Rule] Potential Credential Access via DCSync ( #1763 )
...
* "Potential Credential Access via DCSync" Initial Rule
* replace unintentional bracket removal
* json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 42436d3364
2022-02-16 00:42:49 +00:00
9885be0f59
Modified to use Integrity fields instead of user.id ( #1772 )
...
(cherry picked from commit fd678dc5cb
2022-02-16 00:25:10 +00:00
fd3d2708a1
[Rule Tuning] Sysmon Registry-based Rules Review & Fixes ( #1775 )
...
* Initial Review of Sysmon Registry Rules
* Update defense_evasion_sip_provider_mod.toml
(cherry picked from commit 9bbe26fec0
2022-02-15 12:59:15 +00:00
3b97ee423b
Update discovery_net_command_system_account.toml ( #1769 )
...
(cherry picked from commit c646a18efb
2022-02-14 15:13:55 +00:00
fbcc7433ad
[New Rule] Windows Service Installed via an Unusual Client ( #1759 )
...
* [New Rule] Windows Service Installed via an Unusual Client
https://www.x86matthew.com/view_post?id=create_svc_rpc
* Update non-ecs-schema.json
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add ```s
* Update privilege_escalation_windows_service_via_unusual_client.toml
* add missing comma to schema
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 326aa64ff6
2022-02-11 20:59:20 +00:00
c59429719d
Modification of AmsiEnable Registry Key - Sysmon support ( #1760 )
...
(cherry picked from commit 9c56b00429
2022-02-11 20:51:51 +00:00
782b6c1d0e
Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml ( #1757 )
...
(cherry picked from commit aa9fedd18d
2022-02-11 17:18:12 +00:00
0c66fd9e03
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1 ( #1768 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0,8.1
* Trigger Build
* Remove change to trigger build
Co-authored-by: DefSecSentinel <DefSecSentinel@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 8f36346139
2022-02-10 21:09:09 +00:00
4fe57055a0
[Rule Tuning] Fix IM query ( #1767 )
...
* Fix IM quer
* Add update date
(cherry picked from commit b1121da237
2022-02-10 18:32:37 +00:00
6b1b8587e1
[Documentation] Fix O365 Integration name on Rules and Unit Test ( #1684 )
...
* Adjust Integration Name
* Update defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
* Update integration name
* .
* Case
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 5a16a222ad
2022-02-09 22:06:05 +00:00
04f1a08824
Prep for creation of 8.2 branch ( #1762 )
...
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit e0dda91f26
2022-02-09 03:46:26 +00:00
b4863ddde5
Move misplaced rule to proper folder ( #1756 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 97835bc5c5
2022-02-04 20:38:01 +00:00
2fe12168bc
[New Rule] Potential Shadow Credentials added to AD Object ( #1729 )
...
* Potential Shadow Credentials added to AD Object Initial Rule
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_shadow_credentials.toml
* Add AD tag
* Update credential_access_shadow_credentials.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 85b72256c2
2022-02-04 18:51:25 +00:00
df2a844584
[New Rule] PowerShell Script Block Logging Disabled ( #1749 )
...
* PowerShell Script Block Logging Disabled
* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_disable_posh_scriptblocklogging.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7dac52f1cf
2022-02-04 18:46:55 +00:00
7e25f14766
Update credential_access_mod_wdigest_security_provider.toml ( #1751 )
...
(cherry picked from commit 40095d95bf
2022-02-04 18:40:39 +00:00
6ed9769eb6
[New Rule] AdminSDHolder Backdoor ( #1745 )
...
* AdminSDHolder Backdoor
* Update rules/windows/persistence_ad_adminsdholder.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9ce5d0b92a
2022-02-01 13:17:28 +00:00
58e0584e73
[New Rule] KRBTGT Delegation Backdoor ( #1743 )
...
* KRBTGT Delegation Backdoor
* Update persistence_msds_alloweddelegateto_krbtgt.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* refresh rule_id with new uuid
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d949fefe0c
2022-02-01 13:11:57 +00:00
bd826ceeb3
[Bug] Fix AttributeError in RuleCollection dupe check ( #1747 )
...
(cherry picked from commit 2828633919
2022-02-01 01:00:08 +00:00
f661eca2eb
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #1741 )
...
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml
* fix year
(cherry picked from commit 26d5bad914
2022-02-01 00:04:37 +00:00
4e9432a563
[New Rule] Kerberos Preauthentication Disabled for User ( #1717 )
...
* Initial "Kerberos Preauthentication Disabled for User" Rule
* Update credential_access_disable_kerberos_preauth.toml
* Update credential_access_disable_kerberos_preauth.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Add config directives
* Update rules/windows/credential_access_disable_kerberos_preauth.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 6e3f4b2824
2022-01-31 15:34:02 +00:00
fa09b26d59
[New Rule] SeEnableDelegationPrivilege assigned to User ( #1737 )
...
* SeEnableDelegationPrivilege assigned to User
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix logging policy name
* Update rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* lint
* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 25ec71579d
2022-01-31 15:25:23 +00:00
948e484070
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 72c64de3f5
2022-01-28 19:43:39 +00:00
c05b5dc5f9
[Rule Tuning] Change default time query for rounding days ( #1713 )
...
* Change default time query for rounding days
* Udpate date
* Revert rule updated_data
* Restore threat_query
(cherry picked from commit 87c7210aab
2022-01-28 19:36:44 +00:00
c1c239e1ec
[New Rule] PowerShell Kerberos Ticket Request ( #1715 )
...
* PowerShell Kerberos Ticket Request Initial Rule
* bump date
(cherry picked from commit edd0df5e1a
2022-01-27 19:38:40 +00:00
012e88601e
[New Rule] Email Reported by User as Malware or Phish ( #1699 )
...
* Email Reported by User as Malware or Phish Initial Rule
* Update initial_access_o365_user_reported_phish_malware.toml
* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 189c2b152c
2022-01-27 19:33:20 +00:00
239f7f9324
[New Rule] MS Office Macro Security Registry Modifications ( #1696 )
...
* "MS Office Macro Security Registry Modifications" Initial Rule
* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b6cbdbd416
2022-01-27 19:27:12 +00:00
c300fce9f7
[New Rule] OneDrive Malware File Upload ( #1693 )
...
* "OneDrive Malware File Upload" Initial Rule
* bump severity
(cherry picked from commit f7bc13b437
2022-01-27 19:22:11 +00:00
b0b52abbd5
[New Rule] SharePoint Malware File Upload ( #1691 )
...
* "SharePoint Malware File Upload" Initial Rule
* s/onedrive/sharepoint
* bump severity
(cherry picked from commit 1676844640
2022-01-27 19:15:20 +00:00
c8671b4a1e
[New Rule] Potential Privileged Escalation via SamAccountName Spoofing ( #1660 )
...
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac
EQL
```
iam where event.action == "renamed-user-account" and
/* machine account name renamed to user like account name */
winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```
* Create privilege_escalation_samaccountname_spoofing_attack.toml
* Update non-ecs-schema.json
* extra ref
* toml linted
* ref for MS kb5008102
* more ref
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 26fb8e83a5
2022-01-27 14:49:15 +00:00
71c382b1f5
[New Rule] Global Administrator Role Assigned ( #1686 )
...
* Initial Global Administrator Role Assigned Rules
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 14252d45ee
2022-01-27 12:55:30 +00:00
15d6244331
Create credential_access_mfa_push_brute_force.toml ( #1682 )
...
(cherry picked from commit 7e4325dd7a
2022-01-27 12:40:11 +00:00
b753a05c72
[Rule Tuning] GCP Kubernetes Rolebindings Created or Patched ( #1718 )
...
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 38ae64f729
2022-01-27 12:34:30 +00:00
a5b1ac9e0e
Update credential_access_suspicious_lsass_access_memdump.toml ( #1714 )
...
(cherry picked from commit 1699f50beb
2022-01-27 12:30:41 +00:00
45946dbf3e
Update source.ip condition ( #1712 )
...
(cherry picked from commit 4ac824192f
2022-01-27 12:27:38 +00:00
042f9cfaa1
[Rule Tuning] Fix event.outcome condition on O365 failed logon related rules ( #1687 )
...
* Tune rule query
* Update credential_access_microsoft_365_potential_password_spraying_attack.toml
* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"
This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
(cherry picked from commit 0a23d820c9
2022-01-27 12:25:02 +00:00
shashank-elastic