ac69faedbf
[Rule Tuning] Component Object Model Hijacking ( #1491 )
...
* Update persistence_suspicious_com_hijack_registry.toml
Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.
* Update updated_date
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dd3e924e4a
2021-11-24 11:58:44 +00:00
e3adb3e089
[New Rule] Potential Credential Access via Renamed COM+ Services DLL ( #1569 )
...
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL
* update dates
* adding config note
* relinted
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update minstack version
* minstack not needed, rule should work on previous versions
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d1636258e4
2021-11-18 09:28:55 +00:00
24ef481853
[New Rule] Account Password Reset Remotely ( #1571 )
...
* [New Rule] Account Password Reset Remotely
* Update non-ecs-schema.json
* udpate ruleId
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 53a17e6b06
2021-11-18 09:27:02 +00:00
03db89e733
[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed ( #1579 )
...
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3dd32608a0
2021-11-17 22:39:09 +00:00
c434a5dbb5
[New Rule] PowerShell Keylogging Script ( #1561 )
...
* Create collection_posh_keylogger.toml
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix missing OR
* Change dup guid
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 4b6794df32
2021-11-17 22:37:50 +00:00
cb85a35e7a
[Rule Tuning] Suspicious CertUtil Commands ( #1564 )
...
(cherry picked from commit ab521f7c4f
2021-11-17 20:42:11 +00:00
791c8f9864
[New Rule] Potential Process Injection via PowerShell ( #1552 )
...
* Create defense_evasion_posh_process_injection.toml
* Update defense_evasion_posh_process_injection.toml
* Update description
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9c54e21820
2021-11-17 10:34:19 +00:00
2f3519d882
[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot ( #1550 )
...
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
* lint
* Update etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* moved FP txt to Note.
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fix json
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit e99478db00
2021-11-17 07:46:35 +00:00
7d806b4d3c
[New Rule] Potential Credential Access via LSASS Memory Dump ( #1533 )
...
* [New Rule] Potential Credential Access via LSASS Memory Dump
* Update credential_access_suspicious_lsass_access_memdump.toml
* fix typo in calltrace and event.code type
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_suspicious_lsass_access_memdump.toml
* added TargetImage to non ecs schema
* Update non-ecs-schema.json
* format
* Update credential_access_suspicious_lsass_access_memdump.toml
* Update credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit c18c08a976
2021-11-17 07:37:33 +00:00
c1e4bbc2e3
Lock versions for releases: 7.13,7.14,7.15,7.16 ( #1619 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16
(cherry picked from commit f0f3b83eab
2021-11-16 09:32:29 +00:00
8036eff47e
[bug] Current stack version in deprecation lock missing parens ( #1618 )
...
The function was not being properly called, leading to `null` values
(cherry picked from commit bd9e33e761
2021-11-16 09:19:31 +00:00
eeb087c0fa
Fix kibana-pr command ( #1616 )
...
(cherry picked from commit 76503e8bcd
2021-11-16 08:56:02 +00:00
e2723af3c2
Update registry release from beta to ga
2021-11-15 21:48:46 -09:00
77ffac81e2
[New Rule] PowerShell Suspicious Script with Audio Capture Capabilities ( #1582 )
...
(cherry picked from commit 858d1cf12c
2021-11-16 06:20:37 +00:00
d1a4441c73
Bump min_stack_version in version.lock for specific rules ( #1614 )
...
(cherry picked from commit d78f6354df
2021-11-15 23:39:21 +00:00
ef4fc086ee
Remove 7.15+ rules from 7.14 branch ( #1613 )
...
* Remove 7.15+ rules from 7.14 branch
2021-11-15 14:35:28 -09:00
c42f86eb15
Test to trigger workflows ( #1612 )
...
(cherry picked from commit 59ba8e1540
2021-11-15 19:03:31 +00:00
1edd4303af
Prepare for creation of 7.16 release branch ( #1611 )
...
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit 95d7e9b6f5
2021-11-15 18:40:36 +00:00
389a7bf292
Move version lock code to object for portability ( #1553 )
...
* Move version lock code to object for portability
* use cached_property to bypass frozen dataclass and set property
* replace load_versions function
(cherry picked from commit 0efae3a52e
2021-11-15 17:47:17 +00:00
cb1a765524
[New Rule] Suspicious Process Access via Direct System Call ( #1536 )
...
* [New Rule] Suspicious Process Access via Direct System Call
* updated query to catch also CallTrace with non ntdll modules
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 81a62f5f68
2021-11-15 09:19:40 +00:00
06340b69b0
Add index as a required field to rule_prompt ( #1595 )
...
(cherry picked from commit 5e6a58ebab
2021-11-15 02:06:42 +00:00
25bfddb291
[Rule Tuning] Rename extrac.exe to extrac32.exe ( #1601 )
...
(cherry picked from commit 017d9a51b7
2021-11-15 02:02:16 +00:00
f656c7bc25
Fix Windows path causing emoji to be rendered in Kibana ( #1585 )
...
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.
Surrounding the path in backticks fixes it.
(cherry picked from commit aa219710a1
2021-11-03 16:02:33 +00:00
715188695b
Create host-risk-score.md ( #1599 )
...
update the script name to match shipped artifact
(cherry picked from commit e29a1ca25c
2021-11-03 08:07:01 +00:00
2c197b57fb
Change interval and lookback time for IM rule ( #1596 )
...
(cherry picked from commit f47b0f61cc
2021-11-01 08:28:42 +00:00
365c2a73f2
[Rule Tuning] Hosts File Modified - add process check for linux ( #1593 )
...
* [Rule Tuning] Hosts File Modified - add process check for linux
* add echo and sed to process names in query
(cherry picked from commit ff16832003
2021-10-29 03:57:38 +00:00
ac4e49bcda
Update the marshmallow dependencies in requirements.txt ( #1475 )
...
* Update the marshmallow dependencies in requirements.txt
* Fix typo
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d03e7972a6
2021-10-29 03:51:48 +00:00
a58666393e
Refresh ECS (1.12.1) and beats (7.15.1) schemas ( #1584 )
...
* Refresh ECS (1.12.1) and beats (7.15.1) schemas
* update ecs to 1.10 for 7.14 stack validation
* add note with reference url
Removed changes from:
- rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
- rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
(selectively cherry picked from commit c8cf88cd62
2021-10-28 16:25:33 +00:00
fa3b089c4c
Add support for eql-wildcard and kql-match_only_text ( #1583 )
...
* Add support for eql-wildcard and kql-match_only_text
* bump kql version
* lookup elasticsearch type family prior to getting type hint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit d12c04761f
2021-10-28 13:58:44 +00:00
3e717800a8
Updating docs to highlight explainability ( #1542 )
...
* Updating docs to highlight explainability
* Update typosquatting_rule.md
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 0b57778be6
2021-10-26 20:35:18 +00:00
cb3d90040e
[Bug] Tighten definitions validation patterns ( #1396 )
...
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit ab17dfcc28
2021-10-26 15:27:32 +00:00
cd3cef5996
[Rule Tuning] Added Powershell_ise.exe to some rules. ( #1566 )
...
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_webshell_detection.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_system_shells_via_services.toml
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_system_shells_via_services.toml
* Update persistence_webshell_detection.toml
* Update rules/windows/persistence_local_scheduled_task_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit ef7548f04c
2021-10-26 15:17:37 +00:00
fa4bec7b9a
[New Rule] PowerShell MiniDump Script ( #1528 )
...
* PowerShell MiniDump Script Initial Rule
* Update credential_access_posh_minidump.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_posh_minidump.toml
* Update rules/windows/credential_access_posh_minidump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 239384497f
2021-10-26 15:10:20 +00:00
5ca067e3e3
Add missing Integration field ( #1537 )
...
* Add missing Integration field
* Bump updated_date
* Add test for integration<->path
* Fix rule folder
* bump updated date in rule
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 4524c175c8
2021-10-26 15:06:32 +00:00
ba09596949
[New Rule] AWS Route Table Created ( #1257 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_route_table_created.toml
* Update persistence_route_table_created.toml
* Update rules/persistence_route_table_created.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update persistence_route_table_created.toml
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_table_created.toml
* Update
* Update
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 89553d84a9
2021-10-26 13:26:56 +00:00
e81362e6ec
Add test for improper rule demotion (released production -> development) ( #1555 )
...
(cherry picked from commit 5a69ceb0c5
2021-10-20 05:48:26 +00:00
a28bb7961a
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
(cherry picked from commit 5bdf70e72c
2021-10-20 04:53:52 +00:00
27da0d6ed7
[New Rule] Suspicious Portable Executable Encoded in Powershell Script ( #1562 )
...
* Create execution_posh_portable_executable.toml
* Add wildcard
* Remove the wildcard
* Update rules/windows/execution_posh_portable_executable.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f50fb1d61b
2021-10-18 20:51:12 +00:00
db54ea7467
[New Rule] AWS EventBridge Rule Disabled or Deleted ( #1572 )
...
* Create aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 3ab67d1562
2021-10-18 18:37:29 +00:00
b1e60b6c45
[New Rule] DNS-over-HTTPS Enabled by Registry ( #1379 )
...
* Create defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
(cherry picked from commit cf2b3ee753
2021-10-16 02:26:11 +00:00
66f447cfff
[New Rule] AWS EFS File System or Mount Deleted ( #1462 )
...
* AWS EFS File System or Mount Deleted
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update impact_efs_filesystem_or_mount_deleted.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 2c39bb962f
2021-10-16 02:24:00 +00:00
1771e33876
[New Rule] AWS Suspicious SAML Activity ( #1498 )
...
* Create privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Add trailing /
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 702524b1f7
2021-10-16 02:12:06 +00:00
b090e60bd6
[New Rule] Azure Full Network Packet Capture Detected ( #1420 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Create exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 50501bb40f
2021-10-16 02:07:22 +00:00
69dbb5f655
[New Rule] Azure Virtual Network Device Modified or Deleted ( #1421 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_virtual_network_device_modified.toml
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml
* fix description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 790586fb57
2021-10-15 19:12:07 +00:00
af3571ea6e
[New Rule] Azure Kubernetes Pods Deleted ( #1309 )
...
* Create impact_kubernetes_pod_deleted.toml
* Update impact_kubernetes_pod_deleted.toml
* Update
* Update impact_kubernetes_pod_deleted.toml
* quote value in query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 761df5fe84
2021-10-15 19:08:48 +00:00
ecc65a28bc
[New Rule] AWS RDS Snapshot Restored ( #1312 )
...
* Create exfiltration_rds_snapshot_restored.toml
* Update exfiltration_rds_snapshot_restored.toml
* Delete exfiltration_rds_snapshot_restored.toml
* Create exfiltration_rds_snapshot_restored.toml
* Update
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update exfiltration_rds_snapshot_restored.toml
* Update exfiltration_rds_snapshot_restored.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dc980effb0
2021-10-15 19:06:07 +00:00
8c2c6ea6ec
[New Rule] Microsoft 365 - Mass download by a single user ( #1348 )
...
* Create impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 3303a4e255
2021-10-15 19:02:52 +00:00
9021db6188
[New Rule] AWS Route53 hosted zone associated with a VPC ( #1365 )
...
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 90504915ad
2021-10-15 19:01:20 +00:00
25733e1d67
[New Rule] AWS STS AssumeRole Usage ( #1214 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create lateral_movement_sts_assumerole_abuse.toml
* Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml
* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add note field
* Update privilege_escalation_sts_assumerole_usage.toml
* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Adding Reference
* Expand STS
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d7eab5bbf3
2021-10-15 18:57:13 +00:00
8bb2d27451
[New Rule] GCP Kubernetes Rolebindings Created or Patched ( #1267 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* remove space from query
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 27ba204f1c
2021-10-15 18:43:23 +00:00
LaZyDK