bcd8ef15ba
[New Rule] Unsigned DLL Side-Loading from a Suspicious Folder ( #2409 )
...
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update non-ecs-schema.json
* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 13:23:20 +00:00
8427c8cd22
Create credential_access_suspicious_lsass_access_generic.toml ( #2487 )
2023-01-25 09:43:35 +00:00
3b2d1af051
new guided onboarding rule ( #2492 )
2023-01-24 11:26:28 -05:00
f804c29f6d
[New Rule] PowerShell Script with Encryption/Decryption Capabilities ( #2489 )
...
* [New Rule] PowerShell Script with Encryption/Decryption Capabilities
* Update defense_evasion_posh_encryption.toml
2023-01-24 12:26:11 -03:00
644a094503
Group Policy Object Discovery through gpresult.exe ( #2483 )
...
* [New Rule] Group Policy Discovery Through gpresult.exe
* Fixed typo
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-24 12:10:57 +01:00
fc30b5881f
[New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities ( #2465 )
...
* [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities
* Bump sev
* Update rules/windows/collection_posh_clipboard_capture.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-01-24 07:58:48 -03:00
92ae27600f
[New Rule] PowerShell Mailbox Collection Script ( #2461 )
2023-01-24 07:54:55 -03:00
0aa87d7f4a
[Rule Tuning] Unusual Process For a Linux Host ( #2445 )
...
* [Rule Tuning] Unusual Process For a Linux Host
* .
2023-01-23 21:03:29 -03:00
77c8665f11
[Rule Tuning] Add endgame support for Linux Rules ( #2436 )
...
* [Rule Tuning] Add endgame support for Linux Rules
* [Rule Tuning] Add endgame support for Linux Rules
* .
* Update persistence_insmod_kernel_module_load.toml
2023-01-23 20:53:15 -03:00
7cde7901e3
[Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions ( #2478 )
...
* [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions
* Update discovery_posh_suspicious_api_functions.toml
2023-01-23 20:35:43 -03:00
729ecf8b58
[New Rule] PowerShell Invoke-NinjaCopy script ( #2488 )
...
* [New Rule] PowerShell Invoke-NinjaCopy script
* Update credential_access_posh_invoke_ninjacopy.toml
* Update credential_access_posh_invoke_ninjacopy.toml
2023-01-23 20:00:57 -03:00
e3ff45e20c
[New Rule] System Time Discovery ( #2475 )
...
* [New Rule] System Time Discovery
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-18 13:01:57 +01:00
e5d81e77f7
[New Rule] Add Google Workspace Alert Center Promotional Rule ( #2471 )
...
* Add Google Workspace Alert Center Promotional Rule
* added severity mapping overrides
2023-01-17 12:09:13 -05:00
b61da98f97
[Rule Tuning] Bumping min-stack version for Google Workspace to 8.4 ( #2467 )
...
* Bumping min-stack version for Google Workspace to 8.4
* changed 'updated_date' values
2023-01-13 13:29:28 -05:00
0e535e5931
[Rule Tuning] Remove unreleased timeline from alert correlation rules ( #2462 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-01-12 12:10:59 -03:00
cb88ad715c
[New Rule] Exchange Mailbox via PowerShell ( #2459 )
...
* Create collection_mailbox_export_winlog.toml
* Update collection_mailbox_export_winlog.toml
* Update collection_mailbox_export_winlog.toml
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-11 16:45:20 +00:00
8afda66487
[Rule Tuning] Suspicious WerFault Child Process ( #2437 )
...
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
2023-01-11 16:41:57 +00:00
9121a25b02
Update collection_email_powershell_exchange_mailbox.toml ( #2457 )
2023-01-11 16:29:01 +00:00
4124a82496
[Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules ( #2449 )
...
* [Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules
* Update privilege_escalation_posh_token_impersonation.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Adjust severity
2023-01-10 09:37:07 -03:00
7725e32126
[Security Content] Fix Osquery Markdown Plugin Escaped queries ( #2447 )
...
* [Security Content] Fix Osquery Markdown Plugin Escaped queries
* Re-add line
* Update credential_access_credential_dumping_msbuild.toml
* Update command_and_control_common_webservices.toml
2023-01-09 14:45:31 -03:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
896a25bc0f
Refactor file path name ( #2452 )
2023-01-05 22:10:55 +05:30
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
46eccea704
[New Rule] Suspicious Module Loaded by LSASS ( #2441 )
...
* Create credential_access_lsass_loaded_susp_dll.toml
* Update credential_access_lsass_loaded_susp_dll.toml
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-04 07:56:07 +00:00
3dbb87e46c
Update credential_access_kerberoasting_unusual_process.toml ( #2444 )
2023-01-04 07:50:04 +00:00
73ebdb64c3
Update privilege_escalation_persistence_phantom_dll.toml ( #2443 )
2023-01-04 07:46:59 +00:00
0acbe1d832
[New Rule] Multiple Alerts Involving a User ( #2401 )
...
* [New Rule] Multiple Alerts Involving a User
* Update definitions.py
* update query
* Update multiple_alerts_involving_user.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-01-03 12:25:40 -03:00
be884a1cf3
[Rule Tuning] Screensaver Plist File Modified by Unexpected Process ( #2413 )
2022-12-22 10:27:10 -05:00
7cf14dd515
[Rule Tuning] Parent Process PID Spoofing ( #2432 )
...
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-12-22 14:23:13 +00:00
ae4f671bae
[New Rule] First Time Seen Driver Loaded ( #2434 )
...
* Create persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-12-22 14:10:33 +00:00
baa6b77040
[Rule Tuning] Change Guided Onboarding Rule to Experimental ( #2439 )
...
* initial commit with rule changes
* removed rule from version lock file to pass unit testing; adjusted rule file name
* adjusted maturity to development
2022-12-21 13:36:24 -05:00
9c1bd50a63
[Rule Tuning] Adjust Index Pattern on Windows rules to support WEF ( #2438 )
...
* [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF
* s/host.id/winlog.computer_name
2022-12-21 11:30:04 -03:00
2516a4013a
[Rule Tuning] PrivEsc via Print Spool Service ( #2431 )
...
* Update privilege_escalation_printspooler_service_suspicious_file.toml
* Update privilege_escalation_printspooler_suspicious_spl_file.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2022-12-21 11:51:26 +00:00
80548b97f4
[Rule Tuning] Access to a Sensitive LDAP Attribute ( #2430 )
...
* Update credential_access_ldap_attributes.toml
* Update credential_access_ldap_attributes.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-12-18 20:36:17 +00:00
9f6a54e645
[Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host ( #2423 )
...
* [Rule Tuning] Multiple Alerts in Different ATT&CK Tactics on a Single Host
* Update non-ecs-schema.json
* Remove duplicated value on non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-12-16 16:05:18 -03:00
ae4e59ec7d
[FR] Update ATT&CK Package to v12.1 ( #2422 )
...
* initial update to v12.1 attack package
* added additional click echo output
* addressed flake errors
* updated rules with refreshed att&ck data
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-12-16 12:04:20 -05:00
c6f5d47cdf
Update guided_onborading_sample_rule.toml ( #2408 )
...
changed name to "My First Rule"
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2022-11-28 08:47:37 -08:00
b0085f4304
[Rule Tuning] Temporarily Scheduled Task Creation ( #2411 )
2022-11-28 09:50:08 -03:00
1637f2dc79
[Rule Tuning] Shadow File Read via Command Line Utilities ( #2403 )
...
* Update privilege_escalation_shadow_file_read.toml
description update, name update, query update, tags update, MITRE update
* Update privilege_escalation_shadow_file_read.toml
edited order of MITRE
* changed file name to match credential_access as primary tactic
changed file name to match credential_access as primary tactic
* excluded common executables, not related to "read", based on telemetry
excluded common executables, not related to "read", based on telemetry
* update cred access reference MITRE
* toml-lint file for final validation
* Rename credential_access_shadow_file_access.toml to privilege_escalation_shadow_file_access.toml
revert name back to privilege_escalation...
* Rename privilege_escalation_shadow_file_access.toml to privilege_escalation_shadow_file_read.toml
* update update_date
* Changed primary tactic back to privilege_escalation to match rule name
Changed primary tactic back to privilege_escalation to match rule name
2022-11-21 11:25:39 -05:00
a7caa4baf3
[New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host ( #2399 )
...
* [New Rule] Multiple Alerts in Different ATT&CK Tactics on a Single Host
* Update definitions.py
* Update rules/cross-platform/multiple_alerts_different_tactics_host.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-11-18 17:38:27 -03:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
6055d0db60
[Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides ( #2387 )
...
* [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides
* Remove min_stack and add Note
* Fix Typo and preffix
* Update command_and_control_certutil_network_connection.toml
* Add unit test to check Note about Osquery Markdown plugin and Version limitations
* Update test_all_rules.py
* Update test_all_rules.py
* Change Note Verbiage
2022-11-17 18:38:34 -03:00
8766a23ad6
Rule Tuning as part of 8.6 ( #2398 )
2022-11-17 22:55:39 +05:30
6555bba965
[New Rule] Persistence via PowerShell profile ( #2357 )
...
* [New Rule] Persistence via PowerShell profile
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_powersshell_profiles.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-11-16 08:42:49 -03:00
5a762eaf85
[Rule Tuning] NullSessionPipe Registry Modification ( #2350 )
...
* [Rule Tuning] NullSessionPipe Registry Modification
* Trying length
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-11-16 10:15:18 +00:00
b1ddfb11d4
[New Rule] Windows Services - winlog ( #2280 )
...
* [New Rule] Windows Services - winlog
https://github.com/elastic/detection-rules/issues/2164 (T1543.003 - Windows Service)
- remote windows service (4624,4697)
- suspicious windows service imagepath (7045, 4697) : cmd, powershell etc.
* added winlog.logon.type (keyword)
* Update non-ecs-schema.json
* Update persistence_service_windows_service_winlog.toml
* Update non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-11-16 10:08:02 +00:00
cbbac02b56
[Rule Tuning] Potential Shadow Credentials added to AD Object ( #2359 )
...
limit the query to suspicious KEYCREDENTIALLINK_BLOB value length to 828 `DN-Binary data: B:<char count>:<binary value>:<object DN>` which matches on the add of a keycredential structure using public offensive tooling and avoid FPs (Azure, CredGuard and others).
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-11-15 20:01:22 +00:00
b0156181e7
[New Rules] T1134 Access Token Manipulation ( #2373 )
...
* New Rules] T1134 Access Token Manipulation
3 rules (2 compatible only with Elastic endpoint) and 1 generic one using winlogs.
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* fix ruleid
* Update privilege_escalation_via_token_theft.toml
* timestamp_override = "event.ingested"
* Update non-ecs-schema.json
* linted
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* Update non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-11-15 19:50:47 +00:00
Samirbous