* [New Rule] File Made Executable via Chmod Inside A Container
new rule
* edit threat matrix urls
add final / to reference urls
* Apply suggestions from code review
removed unused fields, adjust from field for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
rule query change to remove exclusion and add more common chmod executable patterns, nit review comments, additional tactic, technique and subtechnique
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
added Defense Evasion tag
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
adjusted tags
* Update execution_file_made_executable_via_chmod_inside_a_container.toml
changed rule type to file instead of process to eliminate false positive results from adding the number modification parts of the query
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
* [New Rule] Netcat Listener Established Inside A Container
new rule toml
* remove references
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* remove false_positives
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* adjust from field from s to m for readability
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update execution_netcat_listener_established_inside_a_container.toml
updated query, updated risk score, expanded explanation for 2nd part of the query where process args is used to search for target executables
* optimized query
optimized query to deduplicate fields based on review feedback
* Update execution_netcat_listener_established_inside_a_container.toml
updated query comment
* Update execution_netcat_listener_established_inside_a_container.toml
added false positive section
* Update execution_netcat_listener_established_inside_a_container.toml
adjusted tags
* removed the != end query parameter
removed the exclusion of end events for this to account for short-lived netcat listener processes
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Create execution_interactive_shell_spawned_from_inside_a_container.toml
new rule
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
edited threat matrix
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
changed boolean in query from string type
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
added timestamp_override field
* Apply suggestions from code review
readability from field change, removed references field
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
* Apply suggestions from code review
index spacing, rule name, comment change
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
updated description, updated query to utilize container.id field to distinguish container vs linux rule, remove unneccesary comments and simplify the query.
* Update rule query
updated rule query to use process.executable and an or field for event.action
* Update execution_interactive_shell_spawned_from_inside_a_container.toml
adjusted tags
* changed "not" in query
event.action != end based on review suggestion
* spacing around comments
* removed ending wildcard causing FPs
removed ending wildcard for process.args /sh as it's causing FPs and will risk being too noisy
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* tuned web shell logic, and converted to EQL
* Removed old, created new rule to bypass "type" bug
* Revert "Removed old, created new rule to bypass "type" bug"
This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133.
* Revert "tuned web shell logic, and converted to EQL"
This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca.
* Deprecated old rule, added new
* formatting fix
* removed endgame index
* Fixed changes captured as edited, not created
* Update rules/linux/persistence_shell_activity_through_web_server.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
* fix conflict
* added host.os.type==linux for unit testing
* removed wildcards in process.args
* Update rules/linux/persistence_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* fixed conflict by changing file name and changes
* Trying to resolve the GH conflict
* attempt to fix GH conflict #2
* Update persistence_shell_activity_by_web_server.toml
* Added endgame support
* Added OSQuery to investigation guide
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* removed investigation guide to add in future PR
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
* updated version_lock to remove type restriction
* addressing flake errors
* reverting version lock and testing rule
* reverting spaces in testing rule
* [Rule Tuning] Potential Credential Access via Windows Utilities
* Add system integration index
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
* adding solution for historical rules in release package
* addressing flake errors
* format changes
* REVERT CHANGES - testing release-fleet workflow
* REVERTING CHANGES
* added historical flag for packaging to account for older branches
* addressing flake errors
* updated build for CI
* REMOVE: This is temporary to run a workflow from this branch
* updates to address requirements for contents
* reverting packages.yml
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Update detection_rules/integrations.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* addressed feedback and added click echo comments
* addressed flake errors and added some comments
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
* Updated for AND logic
* Added case for no package_intregrations
* Fixed linting
* Added unit test for new functionality
* Fixed linting
* Added valid query tests
* Add unit test for event.dataset
* Switched type calls to isinstance calls
* Removed unused stack validation call
* Added additional error type
* Fixed linting
* Cleaned up error handling
* fixed linting
* Added proper type hints
* Fixed typo in Unions
* Updated unit test with additional test cases
* Updated test_invalid_queries unit test
* Fixed linting
* Added kql to unit tests
* Updated tests
* Fixed error handling
* Fixed style issues
* updating integration manifests and schemas
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Isai