aebe64a42b
[Rule Tuning] DR Performance-Poor Rules ( #3399 )
...
* [Rule Tuning] DR Performance
* .
* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml
* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml
* Update persistence_startup_folder_scripts.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit edf4da8526
2024-03-11 11:56:05 +00:00
6241e8c7b4
fix: correct the provider for the create, delete and modify routes in EC2 VPCs ( #3500 )
...
(cherry picked from commit 709cfddcbe
2024-03-08 19:07:31 +00:00
b180502a19
[Tuning] Linux Cross-Platform Tuning - Part 1 ( #3468 )
...
* [Tuning] Linux Cross-Platform Tuning - Part 1
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update defense_evasion_deletion_of_bash_command_line_history.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a438052ff3
2024-03-07 17:26:26 +00:00
28220d0ccd
[Tuning] Linux DR Tuning - Part 12 ( #3464 )
...
* [Tuning] Linux DR Tuning - Part 12
* Update persistence_shared_object_creation.toml
* Update privilege_escalation_dac_permissions.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_enlightenment_window_manager.toml
* Min stack rule-bending test
* formatting fix
* Revert "Merge branch 'linux-dr-tuning-12' of https://github.com/elastic/detection-rules into linux-dr-tuning-12"
This reverts commit 0170cddd905b4b983f8413eebbc11c9c7b3719ce, reversing
changes made to 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Revert "Min stack rule-bending test"
This reverts commit 29d4a747603faf0ac7c2d502786533b0cd93a5d5.
* Update privilege_escalation_enlightenment_window_manager.toml
* Update privilege_escalation_chown_chmod_unauthorized_file_read.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 9c4ba4559d
2024-03-07 17:15:18 +00:00
a6c223de70
[Tuning] Linux BBR Tuning - Part 1 ( #3469 )
...
* [Tuning] Linux BBR Tuning - Part 1
* [Tuning] Linux BBR Tuning - Part 1
* Update defense_evasion_processes_with_trailing_spaces.toml
* Update defense_evasion_processes_with_trailing_spaces.toml
* One more tuning
* Update collection_linux_suspicious_clipboard_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 3fd0358b73
2024-03-07 16:24:36 +00:00
124e8c836c
[Tuning] Linux DR Tuning - Part 14 ( #3467 )
...
* [Tuning] Linux DR Tuning - Part 14
* Update privilege_escalation_sudo_cve_2019_14287.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ed4a7fc15b
2024-03-07 15:51:17 +00:00
dfaed78e75
[Tuning] Linux DR Tuning - Part 13 ( #3465 )
...
* [Tuning] Linux DR Tuning - Part 13
* updated date bump
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update privilege_escalation_netcon_via_sudo_binary.toml
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
* Update rules/linux/privilege_escalation_shadow_file_read.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 60fda8d756
2024-03-07 15:33:51 +00:00
09fe63d18f
[Tuning] Linux DR Tuning - Part 11 ( #3463 )
...
* [Tuning] Linux DR Tuning - Part 11
* Update persistence_message_of_the_day_creation.toml
* Update persistence_message_of_the_day_execution.toml
* Update rules/linux/persistence_message_of_the_day_execution.toml
* Update persistence_linux_user_added_to_privileged_group.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ef66c57030
2024-03-07 11:26:39 +00:00
68cfb3dfde
[Tuning] Linux DR Tuning - Part 10 ( #3462 )
...
* [Tuning] Linux DR Tuning - Part 10
* updated_date bump
* Update persistence_kworker_file_creation.toml
* Update persistence_linux_backdoor_user_creation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a76a3755d9
2024-03-07 10:50:21 +00:00
6141bc3dd7
[Tuning] Linux DR Tuning - Part 9 ( #3461 )
...
* [Tuning] Linux DR Tuning - Part 9
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update lateral_movement_ssh_it_worm_download.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit fd84573212
2024-03-07 10:39:28 +00:00
f209923155
[Tuning] Linux DR Tuning - Part 8 ( #3460 )
...
* [Tuning] Linux DR Tuning - Part 8
* Update impact_esxi_process_kill.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 08f946b394
2024-03-07 10:06:27 +00:00
e44b8a7768
[Tuning] Linux DR Tuning - Part 7 ( #3458 )
...
* [Tuning] Linux DR Tuning - Part 7
* Update execution_potential_hack_tool_executed.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit c537fb9c22
2024-03-07 09:52:07 +00:00
472ca216d3
[Tuning] Linux DR Tuning - Part 6 ( #3457 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_ping_sweep_detected.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit f37a3bfd48
2024-03-07 09:14:25 +00:00
d28bd2abef
[Tuning] Linux DR Tuning - Part 5 ( #3456 )
...
* [Tuning] Linux DR Tuning - Part 6
* Update discovery_dynamic_linker_via_od.toml
* Update discovery_esxi_software_via_find.toml
* Update discovery_esxi_software_via_grep.toml
* Update discovery_linux_hping_activity.toml
* Update discovery_linux_nping_activity.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit ae3f4737ab
2024-03-07 08:59:38 +00:00
2f18b54ac8
[Tuning] Auditbeat event.action Compatibility ( #3471 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 83abf8d42c
2024-03-06 14:34:12 +00:00
e6db511ac7
[BBR Promotion] Linux BBR --> DR Promotion ( #3472 )
...
* [BBR Promotion] Linux BBR --> DR Promotion
* [BBR Promotion] Linux BBR --> DR Promotion
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 5a80423003
2024-03-06 13:55:08 +00:00
fb835e396d
[Tuning] Tuning Windows - 3 Rules ( #3388 )
...
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 853e18950f
2024-02-20 16:01:52 +00:00
7adff8ebd2
[Tuning] Linux DR Tuning - Part 4 ( #3455 )
...
* [Tuning] Linux DR Tuning - Part 4
* Update defense_evasion_file_mod_writable_dir.toml
* Update defense_evasion_hidden_file_dir_tmp.toml
(cherry picked from commit 089e6671aa
2024-02-20 14:44:07 +00:00
24eea0e1e5
[Tuning] Event.dataset removal & Tag Addition ( #3451 )
...
* [Tuning] Removed event.dataset and added tag
* [Tuning] Removed event.dataset and added tag
* fixed typo
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 3484cac7eb
2024-02-20 14:23:44 +00:00
5af7ec1a4b
[Tuning] Linux DR Tuning - Part 3 ( #3454 )
...
(cherry picked from commit 5e6e4a359b
2024-02-20 13:56:14 +00:00
d09d0b0609
[Tuning] Linux DR Tuning - Part 1 ( #3452 )
...
* [Tuning] Linux DR Tuning - Part 1
* Update command_and_control_linux_tunneling_and_port_forwarding.toml
* Update command_and_control_cat_network_activity.toml
(cherry picked from commit 1dc7fd6a42
2024-02-20 13:44:07 +00:00
5b8b6c4450
[Tuning] Linux DR Tuning - Part 2 ( #3453 )
...
* [Tuning] Linux DR Tuning - Part 2
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
(cherry picked from commit 0e48747aa6
2024-02-20 13:22:50 +00:00
144754c8a5
[New] Suspicious Execution from INET Cache ( #3445 )
...
* Create initial_access_execution_from_inetcache.toml
* Update initial_access_execution_from_inetcache.toml
(cherry picked from commit 4809de6584
2024-02-15 19:19:30 +00:00
a864d77e0a
[Rule Tuning] Windows BBR Tuning - 5 ( #3385 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 97e49795ab
2024-02-14 13:28:21 +00:00
0c0a5bdaad
[Rule Tuning] Windows BBR Tuning - 2 ( #3381 )
...
* [Rule Tuning] Windows BBR Tuning - 2
* Update defense_evasion_masquerading_windows_system32_exe.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit ae00f30574
2024-02-14 13:03:47 +00:00
4ac56fbd40
[Rule Tuning] Suspicious Antimalware Scan Interface DLL ( #3432 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 21b559c97f
2024-02-08 09:32:22 +00:00
e037d57c82
[New Rules] DDExec Analysis ( #3408 )
...
* [New Rules] DDExec Analysis
* Increased rule scope
* [New Rule] Dynamic Linker Discovery via od
* Revert "[New Rule] Dynamic Linker Discovery via od"
This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.
* [New Rule] Dynamic Linker Discovery via od
* [New Rule] Potential Memory Seeking Activity
* [New BBR] Suspicious Memory grep Activity
* Added endgame + auditd_manager support
* Removed auditd_manager support for now
* Removed auditd_manager support for now
* Update discovery_suspicious_memory_grep_activity.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit d41855a2ac
2024-02-06 13:53:27 +00:00
27b01ac788
[New Rule] Executable Masquerading as Kernel Process ( #3421 )
...
* [New Rule] Executable Masquerading as Kernel Proc
* Bumped dates
* Added endgame support
* Added auditd_manager support
* Removed auditd_manager support for now
(cherry picked from commit 90d64f0714
2024-02-06 09:54:53 +00:00
35dd5ad3c6
[New Rules] APT Package Manager Persistence ( #3418 )
...
* [New Rule] apt Package Manager Persistence
* [New Rules] APT Package Manager Persistence
* [New Rules] APT Package Manager Persistence
(cherry picked from commit 208b2e999c
2024-02-06 09:34:38 +00:00
8d3eed8d4d
[New Rule] Suspicious Network Connection via systemd ( #3420 )
...
* [New Rule] Network Connection via systemd
* Removed space from description
* Added updated query
(cherry picked from commit 4f303ab77e
2024-02-06 09:25:09 +00:00
66458bd33d
Update lateral_movement_remote_task_creation_winlog.toml ( #3419 )
...
(cherry picked from commit 6906a27c3a
2024-02-05 18:41:54 +00:00
67acfbae4d
[Rule Tuning] Windows BBR Tuning - 1 ( #3380 )
...
* [Rule Tuning] Windows BBR Tuning - 1
* .
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 8274f9a816
2024-02-05 15:52:57 +00:00
5edd21a169
[Rule Tuning] Startup or Run Key Registry Modification ( #3367 )
...
(cherry picked from commit edd3556b63
2024-02-05 15:33:38 +00:00
41ee5b7509
[New] Potential Enumeration via Active Directory Web Service ( #3416 )
...
* Create discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
(cherry picked from commit 5a68ccfd0d
2024-02-02 14:24:50 +00:00
332afabf04
[Rule Tuning] Potential Modification of Accessibility Binaries ( #3401 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 50df6f3e9b
2024-02-01 14:32:00 +00:00
c8b1b59079
[Tuning] Suspicious File Downloaded from Google Drive ( #3411 )
...
* Update command_and_control_google_drive_malicious_file_download.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update command_and_control_google_drive_malicious_file_download.toml
(cherry picked from commit 4c74588c00
2024-01-31 17:00:17 +00:00
50be89783c
[Tuning] DCSync Rules - 4662 event.action ( #3410 )
...
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_replication_rights.toml
(cherry picked from commit d7f4d7972e
2024-01-30 11:48:48 +00:00
bad1eff29b
[New Rule] Suspicious Passwd File Event Action ( #3396 )
...
* [New Rule] Suspicious Passwd File Event Action
* Description fix
* Pot. UT fix
* Pot. UT fix.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 381ccf43ed
2024-01-26 08:42:09 +00:00
9ce2cdf675
[Rule Tuning] Windows DR Tuning - 15 ( #3377 )
...
* [Rule Tuning] Windows DR Tuning - 15
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update defense_evasion_msbuild_making_network_connections.toml
(cherry picked from commit 92804343bc
2024-01-23 19:54:02 +00:00
c421546055
[Rule Tuning] Direct Outbound SMB Connection ( #3400 )
...
* [Rule Tuning] Direct Outbound SMB Connection
* Update lateral_movement_direct_outbound_smb_connection.toml
(cherry picked from commit e33389b2ef
2024-01-23 18:39:31 +00:00
7db74abede
[Rule Tuning] Host Files System Changes via Windows Subsystem for Linux ( #3398 )
...
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux
* Update defense_evasion_wsl_filesystem.toml
(cherry picked from commit e0bdb59deb
2024-01-22 21:53:12 +00:00
cfb4f1a013
[New Rules] UEBA GItHub BBRs and Rules ( #3174 )
...
* [New Rules] UEBA GItHub BBRs and Rules
A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.
* Update rules/integrations/github/impact_github_member_removed_from_organization.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* edited BBR rules
-removed newly added member rule
* updated integration manifests and schemas
* Updated min_stack for some rules based on newest GitHub integration schema manifest
* testing min_stack bump to 8.8 for new fields
* removing offending rule to troubleshoot seperately
* added UEBA tags and created UEBA threshold rule
* updated non-ecs-schema to add signal.rule.tags
* updated non-ecs-schema with kibana.alert.workflow_status
* updated rule.threat.tactic
* added user.name to non-ecs-schema
* added quotes to kibana.alert.workflow_status value
* removed trailing space from rule name
* update tags and optimize query for UEBA threshold rule
* removed integration field from Higher-Order rule
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* adjusted new_terms order and rule types based on review feedback
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* remove user.name from detection_rules/etc/non-ecs-schema.json
* fix json formatting
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 442435830f
2024-01-22 17:53:42 +00:00
cdbf64d360
[New Rule] Potential Buffer Overflow Attack Detected ( #3312 )
...
* [New Rule] Potential Buffer Overflow Attack
* Added timestamp_override
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 48d8b650e5
2024-01-22 15:34:03 +00:00
ebd743efd5
[New Rule] Chroot Container Escape via Mount ( #3387 )
...
* [New Rule] Chroot Container Escape via Mount
* description fix
(cherry picked from commit ec5f4d596c
2024-01-22 08:23:26 +00:00
0a6ad4adc3
[Security Content] Add Investigation Guides to Linux Persistence Rules - 2 ( #3350 )
...
* [Security Content] Add IGs to Persistence - 2
* [Security Content] Add IGs to Persistence - 2
* fixes
* fix
* added ig note
(cherry picked from commit 26747aa8a4
2024-01-20 18:41:48 +00:00
8a2475b5e3
Linux Process Capabilities Enrichment Detection Rules ( #3366 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com
(cherry picked from commit 1a2ef4b867
2024-01-18 17:24:51 +00:00
7367f37584
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field ( #3368 )
...
* updated timestamp override unit test; fixed rules missing this field
* fixed flake error
* simplified and consolidated logic
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added comments
* updated logic; added comments; removed unused variables
* removed custom python script
* updated dates
* removed deprecated rule change
* updated dates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1c10c37468
2024-01-17 19:20:19 +00:00
652acc0f07
[Rule Tuning] Windows DR Tuning - 12 ( #3364 )
...
(cherry picked from commit f6ba12a700
2024-01-17 16:24:30 +00:00
5d9277280c
[Tuning] Add logs-system. index where applicable ( #3390 )
...
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update initial_access_suspicious_ms_office_child_process.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update initial_access_suspicious_ms_exchange_process.toml
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update execution_from_unusual_path_cmdline.toml
* Update execution_enumeration_via_wmiprvse.toml
* Update execution_command_shell_started_by_svchost.toml
* Update discovery_enumerating_domain_trusts_via_nltest.toml
* Update discovery_enumerating_domain_trusts_via_dsquery.toml
* Update defense_evasion_workfolders_control_execution.toml
* Update defense_evasion_iis_httplogging_disabled.toml
* Update defense_evasion_enable_inbound_rdp_with_netsh.toml
* Update defense_evasion_disabling_windows_logs.toml
* Update credential_access_wireless_creds_dumping.toml
* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
* Update credential_access_iis_connectionstrings_dumping.toml
* Update command_and_control_remote_file_copy_desktopimgdownldr.toml
* Update command_and_control_remote_file_copy_mpcmdrun.toml
* Update command_and_control_dns_tunneling_nslookup.toml
* Update persistence_webshell_detection.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update privilege_escalation_named_pipe_impersonation.toml
* Update command_and_control_certreq_postdata.toml
* Update defense_evasion_suspicious_certutil_commands.toml
* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update persistence_system_shells_via_services.toml
* Update execution_suspicious_cmd_wmi.toml
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update discovery_adfind_command_activity.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_unusual_dir_ads.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Update discovery_admin_recon.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update lateral_movement_alternate_creds_pth.toml
* Update persistence_via_windows_management_instrumentation_event_subscription.toml
* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml
* Update persistence_via_application_shimming.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 27262a585b
2024-01-17 13:55:24 +00:00
d73da3d1d5
[Rule Tuning] Windows DR Tuning - 13 ( #3369 )
...
(cherry picked from commit 71cec2a0e1
2024-01-17 12:59:14 +00:00
Jonhnathan