sigma-rules

Author	SHA1	Message	Date
Colson Wilhoit	bcec8a4479	Linux Shell Evasion Rule Tuning (#1878 ) * Linux Shell Evasion Rule Tuning * Update execution_python_tty_shell.toml * Update rules/linux/execution_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_apt_binary.toml * Update rules/linux/execution_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_awk_binary_shell.toml * Update rules/linux/execution_c89_c99_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_c89_c99_binary.toml * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml * Update rules/linux/execution_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_find_binary.toml * Update rules/linux/execution_gcc_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_gcc_binary.toml * Update rules/linux/execution_mysql_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_mysql_binary.toml * Update rules/linux/execution_nice_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_nice_binary.toml * Update rules/linux/execution_ssh_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_ssh_binary.toml * Update execution_perl_tty_shell.toml * Update execution_python_tty_shell.toml * Update rules/linux/execution_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_c89_c99_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_gcc_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_mysql_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_nice_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_ssh_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-29 09:16:21 -05:00
shashank-elastic	fb40a4a8c7	Description updation across multiple rules (#1893 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-28 22:54:37 +05:30
Damià Poquet Femenia	9ad3d39a32	Add Jamf Connect exception for macOS users enumeration rule (#1891 ) * Update discovery_users_domain_built_in_commands.toml Jamf Connect uses ldapsearch to synchronize user passwords. * change rule update date	2022-03-28 13:13:28 -03:00
Stijn Holzhauer	3d4eaf4caf	Adding path as stated in #1812 (#1889 ) * Adding path as stated in #1812 * Bumping updated_date Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-27 08:07:38 -03:00
Jonhnathan	940689576d	[New Rule] Account configured with never Expiring Password (#1790 ) * Create persistence_nopasswd_account.toml * Update persistence_nopasswd_account.toml * Update persistence_nopasswd_account.toml * . * Update persistence_dontexpirepasswd_account.toml * Update persistence_dontexpirepasswd_account.toml	2022-03-26 08:19:28 -03:00
Justin Ibarra	cbeb767156	Add kibana-update and fleet-release templates (#1887 )	2022-03-25 23:44:35 -08:00
Justin Ibarra	3d088787d2	remove update templates	2022-03-25 23:36:40 -08:00
Justin Ibarra	a843337350	Add kibana-update and fleet-release issue tempaltes	2022-03-25 23:21:12 -08:00
Justin Ibarra	d71154b272	Add type to deprecated rules in version.lock (#1881 )	2022-03-24 17:42:13 -08:00
Justin Ibarra	17ef6c558c	[Bug] Fix bug in version_lock.py (#1880 )	2022-03-24 15:41:16 -08:00
Jonhnathan	cdb3dd6dbe	[Security Content] Add Investigation Guides (#1799 ) * Update impact_backup_file_deletion.toml * Update credential_access_seenabledelegationprivilege_assigned_to_user.toml * Update defense_evasion_ms_office_suspicious_regmod.toml * Update credential_access_posh_request_ticket.toml * Update credential_access_disable_kerberos_preauth.toml * Fix missing hyphen * Update rules/windows/credential_access_posh_request_ticket.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/windows/credential_access_posh_request_ticket.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update credential_access_posh_request_ticket.toml * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Remove extra line * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Lint and adjusts * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>	2022-03-24 18:16:00 -03:00
shashank-elastic	3474f8c8e4	flock shell evasion threat (#1863 ) * flock shell evasion threat * Update rules/linux/execution_flock_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_flock_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-24 15:52:18 -05:00
shashank-elastic	152477904f	vim shell evasion threat (#1865 ) * vim shell evasion threat * Update rules/linux/execution_vi_binary.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_vi_binary.toml * Update rules/linux/execution_vi_binary.toml * Update rules/linux/execution_vi_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-24 15:37:20 -05:00
Justin Ibarra	11ec9c230e	Prevent changes to rule type for locked rules (#1855 ) * add rule type to the rule lock_info * add check in VersionLock; add type to version.lock * print changes only on save	2022-03-24 11:56:27 -08:00
Justin Ibarra	f4c94af994	[Bug] Version bump with previous (#1870 ) * save changes to top level for route C; verbose prints * update top level on forked rule without overriding min_stack_version * add check to ensure previous version !> current	2022-03-24 11:12:06 -08:00
Mika Ayenson	1f015ebe85	1554 update eql schemas to fail validation on text fields (#1866 ) * Ensure kql2eql conversion doesnt support `text` fields * Add unit test cases for`text` not supported in eql * test `field not recognized` in the rule_validator and output a verbose message. * use elasticsearch_type_family to lookup text mappings Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-23 16:22:26 -04:00
Jonhnathan	df7bed4408	[New Rule] User account exposed to Kerberoasting (#1789 ) * Create credential_access_spn_attribute_modified.toml * Update credential_access_spn_attribute_modified.toml * Update non-ecs-schema.json * Update rules/windows/credential_access_spn_attribute_modified.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2022-03-23 16:31:47 -03:00
Samirbous	c254d0de8b	[New Rule] Suspicious Remote Registry Access via SeBackupPrivilege (#1783 ) * [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege https://github.com/mpgn/BackupOperatorToDA https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp Detection mainly occurs on AD/DC side : EQL ``` sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m [iam where event.action == "logged-in-special" and winlog.event_data.PrivilegeList : "SeBackupPrivilege"] [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] ``` ``` "sequences" : [ { "join_keys" : [ "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "0x2a23a5" ], "events" : [ { "_index" : ".ds-logs-system.security-default-2022.02.11-000001", "_id" : "L68HAn8BQQK22TUvoE_k", "_source" : { "agent" : { "name" : "01566s-win16-ir", "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "type" : "filebeat", "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8", "version" : "8.0.0" }, "winlog" : { "computer_name" : "01566s-win16-ir.threebeesco.com", "process" : { "pid" : 624, "thread" : { "id" : 756 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x2a23a5" }, "channel" : "Security", "event_data" : { "SubjectUserName" : "samir", "SubjectDomainName" : "3B", "SubjectLogonId" : "0x2a23a5", "PrivilegeList" : [ "SeBackupPrivilege", "SeRestorePrivilege" ], "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106" }, "opcode" : "Info", "record_id" : "2987813", "task" : "Special Logon", "event_id" : "4672", "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "version" : "8.0.0", "snapshot" : false }, "message" : """Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-220106 Account Name: samir Account Domain: 3B Logon ID: 0x2A23A5 Privileges: SeBackupPrivilege SeRestorePrivilege""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-02-16T10:15:26.330Z", "ecs" : { "version" : "1.12.0" }, "related" : { "user" : [ "samir" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "01566s-win16-ir", "os" : { "build" : "14393.3659", "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)", "name" : "Windows Server 2016 Datacenter", "type" : "windows", "family" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "172.16.66.36", "fe80::ffff:ffff:fffe", "fe80::5efe:ac10:4224" ], "name" : "01566s-win16-ir.threebeesco.com", "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "mac" : [ "00:50:56:24:6c:d2", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-02-16T10:15:28Z", "code" : "4672", "provider" : "Microsoft-Windows-Security-Auditing", "created" : "2022-02-16T10:15:27.675Z", "kind" : "event", "action" : "logged-in-special", "category" : [ "iam" ], "type" : [ "admin" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "3B", "name" : "samir", "id" : "S-1-5-21-308926384-506822093-3341789130-220106" } } }, { "_index" : ".ds-logs-system.security-default-2022.02.11-000001", "_id" : "Mq8HAn8BQQK22TUvoE_k", "_source" : { "agent" : { "name" : "01566s-win16-ir", "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8", "type" : "filebeat", "version" : "8.0.0" }, "winlog" : { "computer_name" : "01566s-win16-ir.threebeesco.com", "process" : { "pid" : 4, "thread" : { "id" : 1176 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x2a23a5" }, "channel" : "Security", "event_data" : { "ShareName" : """\\\IPC$""", "IpPort" : "50071", "SubjectLogonId" : "0x2a23a5", "AccessMask" : "0x12019f", "ObjectType" : "File", "SubjectUserName" : "samir", "AccessReason" : "-", "SubjectDomainName" : "3B", "IpAddress" : "172.16.66.25", "AccessMaskDescription" : [ "List Object", "Read Property", "Create Child", "Control Access", "Delete Child", "List Contents", "SELF", "SYNCHRONIZE", "READ_CONTROL" ], "RelativeTargetName" : "winreg", "AccessList" : """%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 """, "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106" }, "opcode" : "Info", "record_id" : "2987816", "event_id" : "5145", "task" : "Detailed File Share", "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "version" : "8.0.0", "snapshot" : false }, "message" : """A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-220106 Account Name: samir Account Domain: 3B Logon ID: 0x2A23A5 Network Information: Object Type: File Source Address: 172.16.66.25 Source Port: 50071 Share Information: Share Name: \\\IPC$ Share Path: Relative Target Name: winreg Access Request Information: Access Mask: 0x12019F Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes Access Check Results: -""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-02-16T10:15:26.336Z", "ecs" : { "version" : "1.12.0" }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "01566s-win16-ir", "os" : { "build" : "14393.3659", "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)", "name" : "Windows Server 2016 Datacenter", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "172.16.66.36", "fe80::ffff:ffff:fffe", "fe80::5efe:ac10:4224" ], "name" : "01566s-win16-ir.threebeesco.com", "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "mac" : [ "00:50:56:24:6c:d2", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-02-16T10:15:28Z", "code" : "5145", "provider" : "Microsoft-Windows-Security-Auditing", "kind" : "event", "created" : "2022-02-16T10:15:27.675Z", "action" : "Detailed File Share", "dataset" : "system.security", "outcome" : "success" } } } ] }, ``` * Update non-ecs-schema.json * Update rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-03-23 19:42:03 +01:00
Justin Ibarra	46c2383e5b	[New Rule] Okta User Session Impersonation (#1867 ) * [New Rule] Okta User Session Impersonation Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-03-22 16:11:29 -08:00
Stijn Holzhauer	2ed97d2e8c	[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion (#1833 ) * Adding event.provider * Removing new line * Updating updated_date field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-03-22 20:36:53 -03:00
shashank-elastic	22367d3702	crash shell evasion threat (#1861 )	2022-03-22 18:46:05 +05:30
shashank-elastic	2ab5a1f44a	[New Rule] cpulimit shell evasion threat (#1851 ) * cpulimit shell evasion threat * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-21 12:16:53 -05:00
Terrance DeJesus	096723b2a1	[Rule Tuning] Symbolic Link to Shadow Copy Created (#1830 ) * fixed duplicated file name * deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied * moved rule back to production, added investigation notes and sequencing to EQL query * added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes * updating with minor changes * adjusted related rules * adjusted investigation notes * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * TOML linted and adjusted updated date Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-18 11:08:29 -04:00
Mika Ayenson	84b7ce6582	update beats master branch ref to main (#1853 ) * update beats master branch ref to main * update filename of master beat schema to main * delete old main beats schema * rebuilt main beats archive	2022-03-18 10:06:34 -04:00
shashank-elastic	7feebc2c10	Updation of Mitre Tactic and Threats (#1850 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-18 15:06:24 +05:30
Jonhnathan	22dd7f0ada	Deprecate PrintNightmare Rules (#1852 )	2022-03-17 19:39:36 -03:00
Jonhnathan	a6edb7cfcf	Update defense_evasion_posh_process_injection.toml (#1838 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-17 19:37:42 -03:00
shashank-elastic	b492258fb0	[New Rule] busybox shell evasion threat (#1842 ) * busybox shell evasion threat Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-17 09:54:46 +05:30
Justin Ibarra	eb2f62940d	Bump EQL to 0.9.12 (#1849 ) * Bump EQL to 0.9.12 * remove duplicate jsonschema	2022-03-16 16:29:33 -08:00
shashank-elastic	f7735df1d5	[New Rule] c89/c99 shell evasion threat (#1840 ) * c88/c99 shell evasion threat	2022-03-16 23:06:34 +05:30
Jonhnathan	e0f8f61ca0	Update persistence_user_account_added_to_privileged_group_ad.toml (#1845 )	2022-03-16 13:06:04 -03:00
Jonhnathan	b5f06f455c	Update defense_evasion_microsoft_defender_tampering.toml (#1837 )	2022-03-14 20:07:39 -03:00
Jonhnathan	53fbc50ea1	[New Rule] AdminSDHolder SDProp Exclusion Added (#1795 ) * AdminSDHolder SDProp Exclusion Added Initial Rule * Update persistence_sdprop_exclusion_dsheuristics.toml * Update rules/windows/persistence_sdprop_exclusion_dsheuristics.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-03-10 14:17:01 -03:00
shashank-elastic	c05f3c8aa3	gcc shell evasion threat (#1824 )	2022-03-10 22:41:31 +05:30
shashank-elastic	b49cce9fcb	ssh shell evasion threat (#1827 )	2022-03-10 22:39:05 +05:30
shashank-elastic	ddbc1de45c	mysql shell evasion threat (#1823 )	2022-03-10 22:36:35 +05:30
shashank-elastic	334aa12aaf	expect shell evasion threat (#1817 ) * expect shell evasion threat * expect shell evasion threat * Update rules/linux/defense_evasion_expect_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 14:22:56 -06:00
shashank-elastic	2b6a357a4b	nice shell evasion threat (#1820 ) * nice shell evasion threat * Update rules/linux/defense_evasion_nice_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 13:59:16 -06:00
shashank-elastic	f9503f2096	[Rule Tuning] Rule description updates (#1811 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-03-07 19:33:11 +05:30
shashank-elastic	2a82f18e43	[New Rule] Linux Restricted Shell Breakout via the Vi command (#1809 ) * new:rule:issue-1808 vi shell evasion threat * Update rules/linux/defense_evasion_vi_binary.toml * Update rules/linux/defense_evasion_vi_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * new:rule:issue-1808 vi shell evasion threat * new:rule:issue-1808 vi shell evasion threat * new:rule:issue-1808 vi shell evasion threat * Update rules/linux/defense_evasion_vi_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-04 13:46:19 -06:00
Apoorva Joshi	b6737aa2c3	Updating beaconing docs (#1815 ) * Updating beaconind docs * Update beaconing.md * Update beaconing.md	2022-03-04 11:34:40 -08:00
Justin Ibarra	6653acb21c	[Github Workflows] Only generate navigator files on push to main (#1814 ) * [Github Workflows] Only generate navigator files on push to main * fix workflow logic syntax	2022-03-04 09:55:11 -09:00
Justin Ibarra	bb105a3c43	Replace `*` in navigator filenames (#1813 )	2022-03-04 08:45:55 -09:00
Justin Ibarra	254b4eb23f	Generate ATT&CK navigator layer files and links (#1787 ) * Generate attack layer files and build with package * add update-navigator-gists command * add workflow to update navigator gists on pushes to main * Add coverage readme * fix keys for links * update navigator layer names * purge gist files prior to update; add badge * Update how the navigator links are displayed * moved navigator code to dedicated and refactored to dataclasses * convert gist links to permalink versions * alphabetize; catch 404 for gist update	2022-03-04 08:20:44 -09:00
Samirbous	a6582351b5	[New Rule] Potential Remote Credential Access via Registry (#1804 ) * [New Rule] Potential Remote Credential Access via Registry 4624 logon followed by hive file creation by regsvc svchost.exe by same user.name and host.id. This matches on secretdsdump and other similar implementations. require to correlation Elastic endpoint file events with System integration logs (4624). Example of data : * Delete workspace.xml * Update credential_access_remote_sam_secretsdump.toml * Update credential_access_remote_sam_secretsdump.toml * add non ecs field * Update non-ecs-schema.json * Update credential_access_remote_sam_secretsdump.toml * Update rules/windows/credential_access_remote_sam_secretsdump.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/credential_access_remote_sam_secretsdump.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/credential_access_remote_sam_secretsdump.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-03 16:28:03 +01:00
Terrance DeJesus	202b9c7479	[New Rule] Execution control.exe via WorkFolders.exe (#1806 ) * added detection rule defense_evasion_workfolders_control_execution.toml related to issue #1586 * updated rule authors * added references to the rule * added timestamp override variable to the rule * adjusted value of timestamp override from event_ingested to event.ingested * Update rules/windows/defense_evasion_workfolders_control_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_workfolders_control_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_workfolders_control_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_workfolders_control_execution.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/defense_evasion_workfolders_control_execution.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_workfolders_control_execution.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * linted toml file as suggested Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-03 09:21:40 -05:00
Jonhnathan	5c477849fe	[Rule Tuning] Update PowerShell script_block queries to avoid partial matches (#1807 ) * Update script_block queries * Update execution_posh_psreflect.toml	2022-03-03 07:37:25 -03:00
shashank-elastic	283cbca702	find shell evasion threat(#1801 ) * new:rule:issue-1800 Adding new rule for find shell evasion * new:rule:issue-1800 Adding new rule for find shell evasion * new:rule:issue-1800 Adding new rule for find shell evasion * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml * new:rule:issue-1800 Adding Mittre Attack Techniques * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml * Update rules/linux/privilege_escalation_find_binary.toml * new:rule:issue-1800 Review Comments Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-02 22:00:29 +05:30
shashank-elastic	c9dd047966	apt binary shell evasion threat (#1792 ) * new:rule:issue-1782 Adding a new Rule for apt binary shell evasion threat * new:rule:issue-1782 Review Comments * Update rules/linux/apt_binary_shell_evasion.toml * new:rule:issue-1782 Adding Mittre Attack Techniques * new:rule:issue-1782 Adding Mittre Attack Techniques * new:rule:issue-1782 Adding Mittre Attack Techniques * new:rule:issue-1782 Adding Mittre Attack Techniques * new:rule:issue-1782 Adding Mittre Attack Techniques * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml * Update rules/linux/privilege_escalation_apt_binary.toml * new:rule:issue-1782 Review Comments Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-02 21:57:40 +05:30
shashank-elastic	e004a2f4a5	awk binary shell evasion threat (#1794 ) * new:rule:issue-1785 Adding a new Rule for awk binary shell evasion threat * Update rules/linux/awk_binary_shell_evasion.toml * Update rules/linux/awk_binary_shell_evasion.toml * new:rule:issue-1785 Adding Mittre Attack Techniques * new:rule:issue-1785 Adding Mittre Attack Techniques * new:rule:issue-1785 Adding Mittre Attack Techniques * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_awk_binary_shell.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml * Update rules/linux/privilege_escalation_awk_binary_shell.toml * new:rule:issue-1785 Review Comments * new:rule:issue-1785 Review Comments Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-03-02 21:53:49 +05:30

1 2 3 4 5 ...

1001 Commits