8d4606d0dc
Rule(s) deprecation as part of Linux Detection Rule Review ( #2163 )
...
(cherry picked from commit e9267e544c
2022-07-26 13:19:25 +00:00
883607488a
[New Rule] File made Immutable by Chattr ( #2161 )
...
* [New Rule] File made Immutable by Chattr
* Update rules/linux/defense_evasion_chattr_immutable_file.toml
(cherry picked from commit c222d4528d
2022-07-25 18:12:55 +00:00
a138a1f2a2
[New Rule] Chkconfig Service Add ( #2159 )
...
* [New Rule] Chkconfig Service Add
* Update rules/linux/persistence_chkconfig_service_add.toml
(cherry picked from commit 146f59f4bd
2022-07-25 16:44:01 +00:00
d988fcb0de
[New Rule] Suspcious Etc File Creation ( #2160 )
...
* [New Rule] Suspcious Etc File Creation
* Update rules/linux/persistence_etc_file_creation.toml
* Update MITRE syntax
* Update rules/linux/persistence_etc_file_creation.toml
* Update rules/linux/persistence_etc_file_creation.toml
* Update rules/linux/persistence_etc_file_creation.toml
(cherry picked from commit 1746897359
2022-07-25 13:49:28 +00:00
141b00ec41
[Rule Tuning] Missing MITRE ATT&CK Mappings ( #2073 )
...
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Removed changes from:
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/ml/ml_linux_anomalous_compiler_activity.toml
- rules/ml/ml_linux_anomalous_metadata_process.toml
- rules/ml/ml_linux_anomalous_metadata_user.toml
- rules/ml/ml_linux_anomalous_process_all_hosts.toml
- rules/ml/ml_linux_anomalous_sudo_activity.toml
- rules/ml/ml_linux_anomalous_user_name.toml
- rules/ml/ml_linux_system_information_discovery.toml
- rules/ml/ml_linux_system_network_configuration_discovery.toml
- rules/ml/ml_linux_system_network_connection_discovery.toml
- rules/ml/ml_linux_system_process_discovery.toml
- rules/ml/ml_linux_system_user_discovery.toml
- rules/ml/ml_rare_process_by_host_linux.toml
- rules/ml/ml_rare_process_by_host_windows.toml
- rules/ml/ml_suspicious_login_activity.toml
- rules/ml/ml_windows_anomalous_metadata_process.toml
- rules/ml/ml_windows_anomalous_metadata_user.toml
- rules/ml/ml_windows_anomalous_path_activity.toml
- rules/ml/ml_windows_anomalous_process_all_hosts.toml
- rules/ml/ml_windows_anomalous_process_creation.toml
- rules/ml/ml_windows_anomalous_script.toml
- rules/ml/ml_windows_anomalous_service.toml
- rules/ml/ml_windows_anomalous_user_name.toml
- rules/ml/ml_windows_rare_user_runas_event.toml
- rules/ml/ml_windows_rare_user_type10_remote_login.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
(selectively cherry picked from commit e8c39d19a7
2022-07-22 18:31:42 +00:00
7909fb47a0
[New Rule] Hidden so file ( #2131 )
...
* [New Rule] Hidden Shared Object File
* [Rule Tuning] Hidden File from Tmp
* Update updated_date
* Update rules/linux/defense_evasion_hidden_shared_object.toml
* Update rules/linux/defense_evasion_hidden_shared_object.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/defense_evasion_hidden_shared_object.toml
* Update rules/linux/defense_evasion_hidden_shared_object.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 98d93bc21e
2022-07-22 16:39:00 +00:00
62298d92f4
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
- rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
- rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
- rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
- rules/integrations/kubernetes/execution_user_exec_to_pod.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml
(selectively cherry picked from commit a52751494e
2022-07-18 21:25:32 +00:00
4235b5d798
[New Rule] Dynamic Linker Copy ( #2099 )
...
* [New Rule] Dynamic Linker Copy
* Update rules/linux/persistence_dynamic_linker_backup.toml
* Update rules/linux/persistence_dynamic_linker_backup.toml
* Update rules/linux/persistence_dynamic_linker_backup.toml
(cherry picked from commit 9995558b2a
2022-07-13 15:18:44 +00:00
4913be81e0
[New Rule] Tc BPF Filter ( #2091 )
...
* tc bpf filter
* Update rules/linux/execution_tc_bpf_filter.toml
(cherry picked from commit 58ad0823ca
2022-07-13 14:42:49 +00:00
3e73a3c60a
[New Rule] Insmod kernel module load ( #2093 )
...
* insmod kernel module load
* Update rules/linux/persistence_insmod_kernel_module_load.toml
* Update rules/linux/persistence_insmod_kernel_module_load.toml
(cherry picked from commit d7d0466344
2022-07-13 14:23:29 +00:00
69237c4ed2
[Rule tuning] existing strace activity rule. ( #2028 )
...
* Update description and MITTRE Attack details
(cherry picked from commit 2ee23bd80f
2022-06-16 11:49:16 +00:00
b12d1cb978
[Rule Tuning] Add MITRE Details to exisisting hpining activity rule. ( #2012 )
...
* Add MITRE Details to existing hping activity rule.
(cherry picked from commit f02325fe2f
2022-06-02 05:08:23 +00:00
821e04aaf8
Linux binary(s) ftp shell evasion threat ( #2007 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 98a85ddcee
2022-06-01 16:40:06 +00:00
75f8928d1f
[Rule tuning] Linux binary(s) shell evasion threat
...
* Linux binary(s) git shell evasion threat
(cherry picked from commit fd7a6d63b0
2022-05-25 13:53:22 +00:00
44046642e7
[Rule tuning] Linux binary(s) shell evasion threat ( #1957 )
...
* Linux binary(s) shell evasion threat
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 51b2d9da4b
2022-05-25 03:04:53 +00:00
0796082300
[Rule tuning] Unusual Process Execution - Temp ( #1968 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1840a638c8
2022-05-23 15:06:55 +00:00
a2dbfff31b
[Rule tuning] add support for osx, zsh, and expand tampering techniques ( #1974 )
...
* add support for osx, zsh, and expand tampering techniques
* migrate to cross-platform and add macOS tag
(cherry picked from commit 77966473d1
2022-05-20 15:12:56 +00:00
4817bf26c8
[Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root ( #1983 )
...
* [Rule Tuning] Update Rule Name
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
(cherry picked from commit d12f45c6ba
2022-05-17 22:43:06 +00:00
a440d87f67
[New Rule] Suspicious Outbound Network Connect Sequence by Root ( #1975 )
...
* adding initial rule
* adjusted UUID
* removed event.ingested as query is a sequence
* changed file name to match mitre ATT&CK tactic
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* TOML linted
* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml
Just edited a couple grammar things. Looks good
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* added additional tactic for privilege escalation and linted
* formatted query to be more readable
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit c89f423961
2022-05-16 21:24:34 +00:00
c7d1ea428c
[New Rule] Abnormal Process ID File Creation ( #1964 )
...
* adding rule detection
* changed Rule ID
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot extension as well.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot to description.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Added additional reference to similar threat.
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added rule for a process starting where the executable's name represented a PID file
* Adjusted user.id value from integer to string
* Added simple investigation notes and osquery coverage
* TOML linting
* Updated date to reflect recent changes
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 1704924f7b
2022-05-12 14:40:34 +00:00
b5f473a444
[New Rule] Executable Launched from Shared Memory Directory ( #1961 )
...
* new rule to check for executables launched from shared memory directory
* added references and false positive instances
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* adjusted process to account for var run and lock directories
* TOML lint and query formatting
* TOML lint and query formatting
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* added BPFDoor tag to be threat specific
* TOML linting and adjusted risk because of root requirement
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 5f447a63a2
2022-05-11 16:22:41 +00:00
5769a21867
[Rule Tuning] Update Rule Content Changes from Security Docs Team ( #1945 )
...
* updated content to reflect changes from Security Docs team
* Update rules/linux/execution_flock_binary.toml
* Update rules/linux/execution_expect_binary.toml
* TOML linting
* added escape for crdential_access_spn_attribute_modified.toml
(cherry picked from commit e9f5585a9f
2022-05-06 17:23:22 +00:00
eeb8ab7744
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml
(selectively cherry picked from commit 6bdfddac8e
2022-04-01 23:28:54 +00:00
150ff0502e
Linux Shell Evasion Rule Tuning ( #1878 )
...
* Linux Shell Evasion Rule Tuning
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_apt_binary.toml
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_awk_binary_shell.toml
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_c89_c99_binary.toml
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_find_binary.toml
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_gcc_binary.toml
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_mysql_binary.toml
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_nice_binary.toml
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_ssh_binary.toml
* Update execution_perl_tty_shell.toml
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-29 21:03:35 -04:00
shashank-elastic