b60b6e2af3
[New] Attempt to establish VScode Remote Tunnel ( #4061 )
...
* [New] Attempt to establish VScode Remote Tunnel
* Update command_and_control_tunnel_vscode.toml
* Update command_and_control_tunnel_vscode.toml
* Update command_and_control_tunnel_vscode.toml
* Update rules/windows/command_and_control_tunnel_vscode.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-09-16 07:39:39 +01:00
3a3400c8e5
[New] MsiExec Service Child Process With Network Connection ( #4062 )
...
* [New] MsiExec Service Child Process With Network Connection
converted an ER diag rule to SIEM rule as it matches on a good number of MSI related FNs.
* Update defense_evasion_msiexec_child_proc_netcon.toml
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-09-15 20:22:44 +01:00
56fc2beb46
[New] Suspicious PowerShell Execution via Windows Scripts ( #4060 )
...
* [New] Suspicious PowerShell Execution via Windows Scripts
this PR converts this ER https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution_via_windows_scripts.toml#L5 to a SIEM rule compatible with S1 and M365D and Winlog/sysmon.
* Update execution_powershell_susp_args_via_winscript.toml
* Create defense_evasion_script_via_html_app.toml
* ++
* Update defense_evasion_script_via_html_app.toml
* Update execution_powershell_susp_args_via_winscript.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-15 19:51:21 +01:00
b6162abefa
[New] WPS Office Exploitation via DLL Hijack ( #4043 )
...
* Create execution_initial_access_wps_dll_exploit.toml
* Update execution_initial_access_wps_dll_exploit.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-09-15 11:23:35 +01:00
9255dafe53
[New] Detonate LNK TOP Rules ( #4058 )
...
* [New] Detonate LNK TOP Rules
the following two rules are the top ones matching on TPs from detonate for LNK files, converting them to SIEM rules compatible with Sysmon/Winlogbeat, SentinelOne and M365 Defender :
https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_powershell_execution.toml#L8
https://github.com/elastic/protections-artifacts/blob/ea2f8dd3b61a7cdf2ce83ca5f06f2096bb62a494/behavior/rules/windows/execution_suspicious_windows_command_shell_execution.toml#L8
* Update execution_windows_cmd_shell_susp_args.toml
* Update execution_windows_powershell_susp_args.toml
* Update execution_windows_cmd_shell_susp_args.toml
* Update execution_windows_powershell_susp_args.toml
* Update execution_windows_powershell_susp_args.toml
* Update execution_windows_cmd_shell_susp_args.toml
* Update execution_windows_powershell_susp_args.toml
* Update rules/windows/execution_windows_cmd_shell_susp_args.toml
* Update rules/windows/execution_windows_powershell_susp_args.toml
* Update execution_windows_cmd_shell_susp_args.toml
* Update execution_windows_cmd_shell_susp_args.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-09-15 10:49:17 +01:00
bb9a772870
[New Rule] Okta Public Client App OAuth Token Request with Client Credentials ( #4074 )
...
* adding new rule for Okta public client app OAuth token request with client credentials
* Update detection_rules/etc/non-ecs-schema.json
* changing new terms to okta.actor.display_name
* linted; added references
2024-09-13 14:57:49 -04:00
cad3865fcf
[New] Potential Escalation via Vulnerable MSI Repair - CVE-2024-38014 ( #4076 )
...
* [New] Potential Escalation via Vulnerable MSI Repair
https://sec-consult.com/blog/detail/msi-installer-repair-to-system-a-detailed-journey/
* Update privilege_escalation_msi_repair_via_mshelp_link.toml
* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
* Update rules/windows/privilege_escalation_msi_repair_via_mshelp_link.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-09-13 17:57:44 +01:00
c3160b9279
[New Rule] PowerShell Script with Windows Defender Tampering Capabilities ( #4075 )
...
* [New Rule] PowerShell Script with Windows Defender Tampering Capabilities
* .
2024-09-13 11:51:19 -03:00
eda179bbe1
Skip Development Rules from Security Docs ( #4073 )
2024-09-13 19:57:00 +05:30
3e25ea8c2b
[New Rule] AWS Bedrock Detections ( #4072 )
2024-09-13 19:46:47 +05:30
df1f0bc98e
[New Rule] Add Jamf Protect detection rules ( #4047 )
...
* Create privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Update privilege_escalation_user_added_to_admin_group.toml
* Adding pbpaste detection rule and minor adjustments to user added to group
* Update credential_access_high_volume_of_pbpaste.toml
* Update credential_access_high_volume_of_pbpaste.toml
* Adding two rules to validate our approach.
* Updated index to "logs-jamf_protect*"
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
* Update rules/integrations/jamf/credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/integrations/jamf/privilege_escalation_user_added_to_admin_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Moved to rules/macos folder
* Removed rules from integration/jamf folder
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_high_volume_of_pbpaste.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* minstack rules and support jamf_protect non-dataset
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-09-12 15:03:56 -05:00
29051c2e33
[New Rule] Cross Platform: AWS SendCommand API Call with Run Shell Command Parameters ( #4052 )
...
* add new rule 'AWS SSM with Run Shell Command Parameters'
* linting
* Update rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* reverting suggestion; causes KQL parser errors for optimization
* fixing query command filter
* added linux event type filter
* fixing array
* fixed description
* Update rules/cross-platform/execution_aws_ssm_sendcommand_with_command_parameters.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-11 13:40:25 -04:00
8618b1ad73
Support toml lint for investigate transforms ( #4066 )
2024-09-11 20:45:36 +05:30
127a56aede
[Rule Tuning] Remote Execution via File Shares ( #4067 )
...
* [Rule Tuning] Remote Execution via File Shares
* Update lateral_movement_execution_via_file_shares_sequence.toml
2024-09-11 10:49:41 -03:00
a8dd78d834
Sync RTA Hidden Executable Initiated Egress Network Connection ( #4070 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-09-11 18:27:18 +05:30
4cab0e7d04
Sync RTA Socat Reverse Shell or Listener Activity ( #4071 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-09-11 18:14:29 +05:30
6a76bbb8d2
Sync RTA Potential Persistence via Direct Crontab Modification ( #4069 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-09-11 17:44:37 +05:30
09a6803804
Sync RTA Kill Command Executed from Binary in Unusual Location ( #4068 )
2024-09-11 17:30:07 +05:30
dc9c58527f
[Tuning] Unusual Network Activity from a Windows System Binary ( #4065 )
...
* Update defense_evasion_network_connection_from_windows_binary.toml
* Update defense_evasion_network_connection_from_windows_binary.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-09-10 13:30:56 -03:00
8d27b6069b
[Rule Tuning] M365/Azure Brute-Forcing New Rule and Tuning; Deprecate Similar Rule ( #4057 )
...
* deprecated rule; tuned for single source inclusion
* adjusted query comments
* added min-stack
* updated date
* added Azure-based rule for brute forcing
* added reference to o365spray
* fixed tag
* adjusted query comment
* added rule for repeat source
* adjusted query to use count distinct
* added intervals; adjusted lookback window according to time truncation
2024-09-10 11:26:40 -04:00
0a08f5e677
[New Rule] New Microsoft 365 Impossible Travel Rules and Deprecation ( #4054 )
...
* new impossible travel rules for o365; deprecated development rule
* deleted development rule as it has not lock version
* reverted rule deletion, added note about reliability and related rules
2024-09-05 17:36:56 -04:00
e30dc312e4
[Tuning] Potential Execution via XZBackdoor ( #4053 )
...
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
2024-09-05 20:13:32 +01:00
be611be8b3
[New Rule] Instance Metadata Service (IMDS) API Requests - Linux ( #4005 )
...
* new rule metadata API requests
* updated description and name
* added Ipv6
* adjusted query
* rule name fix
* changed to EQL; added discovery tactic
* removed timestamp override
* adding host.os.type
* adjusted description
* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* adjusted query
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-05 10:08:32 -04:00
ba58a1e7cc
[New Hunt] Add AWS Hunting Queries to Shared Hunting Library ( #3988 )
...
* new hunt queries for aws
* sendcommand and getuserpassword queries
* s3 bucket access and secrets manager requests added
* ssm start session and service logging deleted added
* adding federated authentication queries
* added ec2 modify instance attribute query
* adding backdoor role creation query
* 2 new queries for discovery; added lookback windows
* added new hunting query for IAM activity with no MFA session
* added missing time windows
* adding new query for lambda add permissions
* adjusted query format
* added new query for ec2 instance deployment anomalies
* updated queries based on feedback; regenerated docs
* fixed queries
* removed new rule
2024-09-04 10:08:44 -04:00
9f964b68a4
[New Rule] Root Certificate Installation ( #4025 )
...
* [New Rule] Root Certificate Installation
* Update defense_evasion_root_certificate_installation.toml
* Update rules/linux/defense_evasion_root_certificate_installation.toml
2024-09-03 17:40:17 +02:00
6a1ba19f7c
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #4050 )
2024-09-03 17:40:44 +05:30
a53f7d55a3
Testcase to check if Rule Type: BBR tag is present for all BBR rules ( #4048 )
2024-09-02 21:29:31 +05:30
b3a75899d5
[New Rule] SELinux Configuration Creation or Modification ( #4024 )
...
* [New Rule] SELinux Configuration Creation or Modification
* Update rules/linux/defense_evasion_selinux_configuration_creation_modification.toml
* Rename defense_evasion_selinux_configuration_creation_modification.toml to defense_evasion_selinux_configuration_creation_or_renaming.toml
* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
2024-09-01 10:14:59 +02:00
162b4e7be8
[New Rule] Access Control List Modification via setfacl ( #4009 )
...
* [New BBR] Access Control List Modification via setfacl
* added reference
* Update rules_building_block/defense_evasion_acl_modification_via_setfacl.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-09-01 09:58:50 +02:00
fb07033159
[New Rule] Attempt to Disable Auditd Service ( #4028 )
...
* [New Rule] Attempt to Disable Auditd Service
* Update defense_evasion_attempt_to_disable_auditd_service.toml
* Update rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-09-01 09:51:13 +02:00
30cd1b6a00
[New Rule] Potential Defense Evasion via Doas ( #4027 )
...
* [New Rule] Potential Defense Evasion via Doas
* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml
* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Rename defense_evasion_doas_configuration_creation_or_modification.toml to defense_evasion_doas_configuration_creation_or_rename.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-08-29 21:19:13 +02:00
19b4a4d7dd
[New Rule] SSL Certificate Deletion ( #4026 )
...
* [New Rule] SSL Certificate Deletion
* Update defense_evasion_ssl_certificate_deletion.toml
* Update rules/linux/defense_evasion_ssl_certificate_deletion.toml
2024-08-29 21:10:59 +02:00
1ff26cf53e
[New Rule] New Rules AWS Multi-Region Discovery of EC2 Instances and Quotas ( #4015 )
...
* new rules AWS EC2 discovery in multiple-regions
* adjusted query and from window
* added event providers, adjusted tags, changed file name
2024-08-28 13:42:32 -04:00
3e831b82c3
Update credential_access_suspicious_web_browser_sensitive_file_access.toml ( #4029 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-28 16:33:44 +01:00
0c38662cf3
[FR] [DAC] Add Support for Known Types to Auto-generated Schemas ( #3985 )
...
* Add support for autogen known type
* Add support for ML packages
* rename known_type to field_type
2024-08-28 10:48:00 -04:00
f7b7a04d53
[FR] Add Better Error Handling for CUSTOM_RULES_DIR ( #3990 )
...
* Add better error handling for CUSTOM_RULES_DIR
* Update detection_rules/config.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-08-28 10:30:45 -04:00
6aaccc64a6
[New Rule] AWS CLI Command with Custom Endpoint URL ( #4002 )
...
* new rule AWS CLI COmmand with Custom Endpoint URL
* fixed query
* added host os type
* added timestamp override
2024-08-28 09:58:08 -04:00
e60c21b37b
[Rule Tuning] Enumeration of Privileged Local Groups Membership ( #4016 )
2024-08-27 09:54:19 -03:00
cb739fb161
Sync RTA Linux Production Tuning ( #4014 )
2024-08-26 23:57:42 +05:30
ba76c20b3d
Update import rules to repo help text. ( #4013 )
2024-08-26 10:20:32 -04:00
70c3a6f7b1
[Rule Tuning] Potential privilege escalation via CVE-2022-38028 ( #4004 )
2024-08-22 15:32:28 -03:00
162a48c97f
[New Rule] Openssl Client or Server Activity ( #3930 )
...
* [New Rule] Openssl Client or Server Activity
* Endgame support
* Added one exclusion
* Update execution_shell_openssl_client_or_server.toml
* Update execution_shell_openssl_client_or_server.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-22 16:53:31 +02:00
dfbf86e853
Update ProblemChild detection rules with High and Low probability ( #4000 )
...
* Updated ProblemChild detection rules
2024-08-22 09:17:41 -04:00
b6b6f6b482
[New Rule] First Occurrence AWS STS Temporary Credential Request by User ( #3991 )
...
* adding new rule 'First Occurrence of STS GetFederationToken Request by User'
* added integration tag
* Update rules/integrations/aws/defense_evasion_sts_get_federation_token.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added reference
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-08-21 20:17:10 -04:00
5493165440
[New Rule] AWS Signin Single Factor Console Login via Federated Session ( #3992 )
...
* adding new rule 'AWS Signin Single Factor Console Login with Federated User'
* changed uuid
* added integration tag
* fixed mitre mapping
* added min-stack
* Update rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* added reference
* Update rules/integrations/aws/initial_access_signin_console_login_no_mfa.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-08-21 18:19:54 -04:00
589aa33508
[Bug] Add historical Rules as Default when Build Package ( #4003 )
...
* Add historical Rules as Default
* Update num latest rule versions
* Update split for parsing
* Update saved version
* Remove if else
* write historical rules with versions
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
2024-08-21 18:00:02 -04:00
c77356c0f2
Refresh Integration Manifest and Schema ( #4001 )
2024-08-21 22:24:05 +05:30
fbe47298cf
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3997 )
2024-08-20 23:46:25 +05:30
0c25cfb82e
Remove unused @click.pass_context ( #3996 )
2024-08-20 23:11:22 +05:30
760d9f6398
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3995 )
2024-08-20 21:32:43 +05:30
Samirbous