bd46e892f1
add "Windows Azure Linux Agent"'s pid file to list ( #2328 )
...
* add "Windows Azure Linux Agent"'s pid file to list
https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/agent-linux
this tool is default installed on azure linux hosts, can resolve my problem as an exception and have but the tool is common enough in cloud environments that it deserves inclusion.
* Update execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-10-13 16:53:35 -03:00
9861958833
[Security Content] Add missing "has_guide" tag ( #2349 )
...
* Add missing "has_guide" tag
* bump updated_date
2022-10-11 06:30:19 -07:00
f5c992b6de
[Security Content] Add Investigation Guides - 2 - 8.5 ( #2314 )
...
* [Security Content] Add Investigation Guides - 2 - 8.5
* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
* Merge branch 'main' into investigation_guides_8.5_2
* Revert "Merge branch 'main' into investigation_guides_8.5_2"
This reverts commit fb3c3f0245301d49229534d8776478c32f6c190e.
* Apply suggested changes from review
* Update discovery_security_software_grep.toml
* Apply suggestions from review
* Apply suggestions from review
2022-09-26 12:59:39 -03:00
b00de3e445
[Rule Tuning] adjust duplicate ssh brute force rule names and add unit test ( #2321 )
...
* added unit test for duplicate rule names
* adjusted macos file name and updated date values
* removed unit test and added assertion error in rule loader
* addressed flake errors
* addressed flake errors
* Update rules/linux/credential_access_potential_linux_ssh_bruteforce.toml
2022-09-26 10:04:38 -04:00
ec04a39413
[Security Content] Tag rules with robust Investigation Guides ( #2297 )
2022-09-23 14:20:32 -03:00
2f062ecf84
Add investigation guides ( #2326 )
2022-09-23 20:18:48 +05:30
725f7f3480
Linux rule to detect potential ssh brute force attack ( #2291 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-09-19 20:26:18 +05:30
ae2a98e3f7
[New Rule] Linux rule(s) to detect namespace manipulation,shadow file read ( #2283 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-09-14 22:01:46 +05:30
46d5e37b76
min_stack all rules to 8.3 ( #2259 )
...
* min_stack all rules to 8.3
* bump date
Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co >
2022-08-24 10:38:49 -06:00
c5ff8511a9
[Rule Tuning] Abnormal Process ID or Lock File Created ( #2113 )
...
* [Rule Tuning] Abnormal Process ID or Lock File Created
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update execution_abnormal_process_id_file_created.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-08-23 09:59:31 -03:00
6e2d20362a
[Rule Tuning] Standardizing Risk Score according to Severity ( #2242 )
2022-08-21 22:29:39 -03:00
19d9a7eb87
Rule tuning as part of Linux Detection Rules Review ( #2210 )
2022-08-02 17:46:57 +05:30
b2b5c170dd
Rule(s) to identify potential mining activities ( #2185 )
2022-07-29 23:00:18 +05:30
8afded11e7
Rule tuning as part of Linux Detection Rules Review ( #2170 )
2022-07-29 21:55:49 +05:30
e9267e544c
Rule(s) deprecation as part of Linux Detection Rule Review ( #2163 )
2022-07-26 18:48:25 +05:30
c222d4528d
[New Rule] File made Immutable by Chattr ( #2161 )
...
* [New Rule] File made Immutable by Chattr
* Update rules/linux/defense_evasion_chattr_immutable_file.toml
2022-07-25 13:11:45 -05:00
146f59f4bd
[New Rule] Chkconfig Service Add ( #2159 )
...
* [New Rule] Chkconfig Service Add
* Update rules/linux/persistence_chkconfig_service_add.toml
2022-07-25 11:43:03 -05:00
1746897359
[New Rule] Suspcious Etc File Creation ( #2160 )
...
* [New Rule] Suspcious Etc File Creation
* Update rules/linux/persistence_etc_file_creation.toml
* Update MITRE syntax
* Update rules/linux/persistence_etc_file_creation.toml
* Update rules/linux/persistence_etc_file_creation.toml
* Update rules/linux/persistence_etc_file_creation.toml
2022-07-25 08:48:19 -05:00
e8c39d19a7
[Rule Tuning] Missing MITRE ATT&CK Mappings ( #2073 )
...
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-07-22 14:30:34 -04:00
98d93bc21e
[New Rule] Hidden so file ( #2131 )
...
* [New Rule] Hidden Shared Object File
* [Rule Tuning] Hidden File from Tmp
* Update updated_date
* Update rules/linux/defense_evasion_hidden_shared_object.toml
* Update rules/linux/defense_evasion_hidden_shared_object.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/defense_evasion_hidden_shared_object.toml
* Update rules/linux/defense_evasion_hidden_shared_object.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-07-22 11:37:47 -05:00
a52751494e
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 15:41:32 -04:00
9995558b2a
[New Rule] Dynamic Linker Copy ( #2099 )
...
* [New Rule] Dynamic Linker Copy
* Update rules/linux/persistence_dynamic_linker_backup.toml
* Update rules/linux/persistence_dynamic_linker_backup.toml
* Update rules/linux/persistence_dynamic_linker_backup.toml
2022-07-13 10:17:46 -05:00
58ad0823ca
[New Rule] Tc BPF Filter ( #2091 )
...
* tc bpf filter
* Update rules/linux/execution_tc_bpf_filter.toml
2022-07-13 09:41:46 -05:00
d7d0466344
[New Rule] Insmod kernel module load ( #2093 )
...
* insmod kernel module load
* Update rules/linux/persistence_insmod_kernel_module_load.toml
* Update rules/linux/persistence_insmod_kernel_module_load.toml
2022-07-13 09:22:21 -05:00
2ee23bd80f
[Rule tuning] existing strace activity rule. ( #2028 )
...
* Update description and MITTRE Attack details
2022-06-16 17:18:48 +05:30
f02325fe2f
[Rule Tuning] Add MITRE Details to exisisting hpining activity rule. ( #2012 )
...
* Add MITRE Details to existing hping activity rule.
2022-06-02 10:36:23 +05:30
98a85ddcee
Linux binary(s) ftp shell evasion threat ( #2007 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-06-01 22:07:52 +05:30
fd7a6d63b0
[Rule tuning] Linux binary(s) shell evasion threat
...
* Linux binary(s) git shell evasion threat
2022-05-25 19:21:08 +05:30
51b2d9da4b
[Rule tuning] Linux binary(s) shell evasion threat ( #1957 )
...
* Linux binary(s) shell evasion threat
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-05-25 08:32:53 +05:30
1840a638c8
[Rule tuning] Unusual Process Execution - Temp ( #1968 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-05-23 11:04:35 -04:00
77966473d1
[Rule tuning] add support for osx, zsh, and expand tampering techniques ( #1974 )
...
* add support for osx, zsh, and expand tampering techniques
* migrate to cross-platform and add macOS tag
2022-05-20 11:10:56 -04:00
d12f45c6ba
[Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root ( #1983 )
...
* [Rule Tuning] Update Rule Name
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
2022-05-17 17:41:05 -05:00
c89f423961
[New Rule] Suspicious Outbound Network Connect Sequence by Root ( #1975 )
...
* adding initial rule
* adjusted UUID
* removed event.ingested as query is a sequence
* changed file name to match mitre ATT&CK tactic
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* TOML linted
* Update command_and_control_connection_attempt_by_non_ssh_root_session.toml
Just edited a couple grammar things. Looks good
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
* added additional tactic for privilege escalation and linted
* formatted query to be more readable
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-05-16 16:22:33 -05:00
1704924f7b
[New Rule] Abnormal Process ID File Creation ( #1964 )
...
* adding rule detection
* changed Rule ID
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot extension as well.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Adding reboot to description.
Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Added additional reference to similar threat.
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_abnormal_process_id_file_created.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added rule for a process starting where the executable's name represented a PID file
* Adjusted user.id value from integer to string
* Added simple investigation notes and osquery coverage
* TOML linting
* Updated date to reflect recent changes
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-05-12 10:38:27 -04:00
5f447a63a2
[New Rule] Executable Launched from Shared Memory Directory ( #1961 )
...
* new rule to check for executables launched from shared memory directory
* added references and false positive instances
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* Update rules/linux/execution_shared_memory_executable.toml
* adjusted process to account for var run and lock directories
* TOML lint and query formatting
* TOML lint and query formatting
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* Update rules/linux/execution_process_started_in_shared_memory_directory.toml
* added BPFDoor tag to be threat specific
* TOML linting and adjusted risk because of root requirement
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-05-11 12:18:55 -04:00
e9f5585a9f
[Rule Tuning] Update Rule Content Changes from Security Docs Team ( #1945 )
...
* updated content to reflect changes from Security Docs team
* Update rules/linux/execution_flock_binary.toml
* Update rules/linux/execution_expect_binary.toml
* TOML linting
* added escape for crdential_access_spn_attribute_modified.toml
2022-05-06 13:21:12 -04:00
6bdfddac8e
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00
93edc44284
[Rule Tuning] Timeline Templates For Windows and Linux ( #1892 )
...
* added comprehensive file timeline to Hosts File Modified rule
* added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule
* updated rules to have generic instead of comprehensive
* updated several rules with timeline ID and timeline title values
* changed updated_date for threat intel fleet integrations
* added missing templates to timeline_templates dict in definitions.py
* added comprehensive timeline templates to alerts after definitions.py was updated
* updated rules with comprehensive timeline templates and added min stack comments and versions
* removing timeline template changes which is tracked in #1904
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Delete Pipfile
Removing pipfile
* Delete Pipfile.lock
deleting pipfile.lock
* Update rules/windows/execution_command_shell_started_by_svchost.toml
updating title
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-01 13:44:35 -04:00
8d09bca633
Re-add c89 rules ( #1900 )
2022-03-29 15:01:48 -08:00
507a23ba01
temp remove rule to readd with backport ( #1898 )
2022-03-29 14:52:04 -08:00
bcec8a4479
Linux Shell Evasion Rule Tuning ( #1878 )
...
* Linux Shell Evasion Rule Tuning
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_apt_binary.toml
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_awk_binary_shell.toml
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_c89_c99_binary.toml
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_find_binary.toml
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_gcc_binary.toml
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_mysql_binary.toml
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_nice_binary.toml
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_ssh_binary.toml
* Update execution_perl_tty_shell.toml
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-29 09:16:21 -05:00
fb40a4a8c7
Description updation across multiple rules ( #1893 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-28 22:54:37 +05:30
3474f8c8e4
flock shell evasion threat ( #1863 )
...
* flock shell evasion threat
* Update rules/linux/execution_flock_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_flock_binary.toml
* Update rules/linux/execution_flock_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-24 15:52:18 -05:00
152477904f
vim shell evasion threat ( #1865 )
...
* vim shell evasion threat
* Update rules/linux/execution_vi_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_vi_binary.toml
* Update rules/linux/execution_vi_binary.toml
* Update rules/linux/execution_vi_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-24 15:37:20 -05:00
22367d3702
crash shell evasion threat ( #1861 )
2022-03-22 18:46:05 +05:30
2ab5a1f44a
[New Rule] cpulimit shell evasion threat ( #1851 )
...
* cpulimit shell evasion threat
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-21 12:16:53 -05:00
7feebc2c10
Updation of Mitre Tactic and Threats ( #1850 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-18 15:06:24 +05:30
b492258fb0
[New Rule] busybox shell evasion threat ( #1842 )
...
* busybox shell evasion threat
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-17 09:54:46 +05:30
f7735df1d5
[New Rule] c89/c99 shell evasion threat ( #1840 )
...
* c88/c99 shell evasion threat
2022-03-16 23:06:34 +05:30
c05f3c8aa3
gcc shell evasion threat ( #1824 )
2022-03-10 22:41:31 +05:30
ALEXANDER MA COTE