bb63887741
[New] BadSuccessor dMSA Abuse Detections ( #4745 )
...
* [New] BadSuccessor dMSA Abuse Detections
https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
using new term rule type with events 5136/5137 by winlog.event_data.SubjectUserName to detect unusual accounts performing dMSA changes (creation of a new dMSA account or the modification of the `msDS-ManagedAccountPrecededByLink` attribute to take over a target account)
* Update privilege_escalation_dmsa_creation_by_unusual_user.toml
2025-05-25 09:38:15 +01:00
2c2b3e7d12
[Tuning] Lateral Movement Rules ( #4736 )
...
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update execution_suspicious_cmd_wmi.toml
* Update lateral_movement_incoming_wmi.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update lateral_movement_incoming_wmi.toml
* Update execution_suspicious_cmd_wmi.toml
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-05-21 15:59:45 +01:00
22cf1f0ced
[Tuning] Account Discovery Command via SYSTEM Account ( #4734 )
...
* Update discovery_command_system_account.toml
* Update discovery_command_system_account.toml
* Update discovery_command_system_account.toml
* Update discovery_command_system_account.toml
* Update discovery_command_system_account.toml
2025-05-21 06:25:16 +01:00
e6fb73970d
[Rule Tuning] Startup or Run Key Registry Modification ( #4710 )
2025-05-19 22:12:37 +05:30
9af2bf4a66
[Rule Tuning] Unusual Scheduled Task Update ( #4714 )
2025-05-19 21:51:14 +05:30
47059e22f2
[Rule Tuning] Backup Deletion with Wbadmin ( #4715 )
2025-05-19 20:34:25 +05:30
d30e65e5a2
[Rule Tuning] Unusual File Creation - Alternate Data Stream ( #4712 )
2025-05-09 13:56:54 -03:00
e028bf7954
[New Rule] Potential Dynamic IEX Reconstruction via Environment Variables ( #4633 )
2025-05-06 21:06:06 +05:30
0cd7de6862
[New Rule] Potential PowerShell Obfuscation via Special Character Overuse ( #4632 )
2025-05-06 20:29:19 +05:30
b7016253ae
[New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion ( #4631 )
2025-05-06 20:13:34 +05:30
5d8f0c2ffe
[New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion ( #4630 )
2025-05-06 19:58:01 +05:30
dc6cb3e811
[New Rule] Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation ( #4615 )
2025-05-06 19:26:15 +05:30
5ab73943a1
[New Rule] Potential PowerShell Obfuscation via Invalid Escape Sequences ( #4614 )
2025-05-06 19:10:10 +05:30
b5ac9707ba
[New Rule] PowerShell Obfuscation via Negative Index String Reversal ( #4610 )
2025-05-06 18:54:22 +05:30
c291638521
[New Rule] Potential PowerShell Obfuscation via Reverse Keywords ( #4609 )
2025-05-06 18:36:13 +05:30
7b9cd77bc2
[New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction ( #4608 )
2025-05-06 18:18:29 +05:30
ebe77f2d86
[New Rule] Potential PowerShell Obfuscation via String Concatenation ( #4607 )
2025-05-06 18:02:35 +05:30
91acb4e9ce
[New] Windows Sandbox with Sensitive Configuration ( #4606 )
...
https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
2025-05-06 15:58:39 +05:30
04f15aa08c
[New] Rare Connection to WebDAV Target ( #4667 )
2025-05-06 15:41:30 +05:30
bcff3f95d5
Update command_and_control_common_webservices.toml ( #4686 )
2025-05-06 13:27:21 +05:30
e4856d3c2c
Refresh ecs, beats, integration manifests & schemas ( #4699 )
2025-05-05 23:06:40 +05:30
34231160ee
Fix versions for changes in required_fileds ( #4640 )
2025-04-24 06:28:18 +05:30
b9ed05562d
[Rule Tuning] User Added to Privileged Group in Active Directory ( #4646 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-04-24 06:12:33 +05:30
e8e76972f5
[Rule Tuning] Replace legacy winlog.api usage ( #4647 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-04-24 05:52:38 +05:30
f8e91be329
[New] RemoteMonologue Attack rules ( #4604 )
...
* [New] RemoteMonologue Attack rules
https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1
https://github.com/xforcered/RemoteMonologue
* Update rules/windows/defense_evasion_ntlm_downgrade.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_ntlm_downgrade.toml
* Update rules/windows/defense_evasion_ntlm_downgrade.toml
* Update rules/windows/defense_evasion_ntlm_downgrade.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-04-22 15:26:57 -03:00
1bab74179e
[New Rule] Potential Malicious PowerShell Based on Alert Correlation ( #4635 )
...
* [New Rule] Potential Malicious PowerShell Based on Alert Correlation
* Update execution_posh_malicious_script_agg.toml
2025-04-22 13:36:04 -03:00
8361cfd205
[New Rule] Potential PowerShell Obfuscation via String Reordering ( #4595 )
...
* [New Rule] Potential PowerShell Obfuscation via String Reordering
* Update defense_evasion_posh_obfuscation_string_format.toml
* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
* Update defense_evasion_posh_obfuscation_string_format.toml
* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
2025-04-22 12:26:55 -03:00
a495b4b9b2
[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs ( #4627 )
2025-04-22 11:59:06 -03:00
a9f99137f3
[New Rule] Dynamic IEX Reconstruction via Method String Access ( #4634 )
2025-04-22 11:47:03 -03:00
e11fe78846
[Rule Tuning] Suspicious WMI Event Subscription Created ( #4618 )
...
* [Rule Tuning] Suspicious Execution via Scheduled Task
* [Rule Tuning] Suspicious WMI Event Subscription Created
2025-04-16 10:05:20 -03:00
a5d9d6400a
[Rule Tuning] Suspicious Execution via Scheduled Task ( #4599 )
2025-04-07 22:59:08 +05:30
6d8cfda10f
Update defense_evasion_microsoft_defender_tampering.toml ( #4573 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-04-01 18:04:29 +01:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
059d7efa25
Prep for Release 9.0 ( #4550 )
2025-03-20 20:32:07 +05:30
28a06fd25f
Update defense_evasion_posh_assembly_load.toml ( #4543 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-03-20 05:13:28 -03:00
290f0be959
Update defense_evasion_execution_suspicious_explorer_winword.toml ( #4533 )
2025-03-14 10:46:56 -03:00
b1470a480b
[New] WDAC Policy File by an Unusual Process ( #4504 )
...
* [New] WDAC Policy File by an Unusual Process
https://github.com/logangoins/Krueger/tree/main
* Update defense_evasion_wdac_policy_by_unusual_process.toml
* Update rules/windows/defense_evasion_wdac_policy_by_unusual_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_wdac_policy_by_unusual_process.toml
* Update defense_evasion_wdac_policy_by_unusual_process.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-03-04 15:21:58 +00:00
46c4a80015
[Tuning] Remote File Copy to a Hidden Share ( #4494 )
...
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
* Update lateral_movement_remote_file_copy_hidden_share.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 11:50:02 -03:00
7b15acf9dd
Update defense_evasion_amsi_bypass_powershell.toml ( #4477 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-02-27 11:36:15 -03:00
0340335cf4
[Rule Tuning] Sysmon rules that uses event.action ( #4496 )
...
* [Rule Tuning] Sysmon rules that uses `event.action`
* Adjust queries
* Fix unit test :thinking-hard:
2025-02-27 11:24:42 -03:00
73aaad98f0
[Rule Tuning] MsBuild Making Network Connections ( #4479 )
...
* [Rule Tuning] MsBuild Making Network Connections
* Remove Minstack
* Revert MMinstack removal
---------
Co-authored-by: Shashank K S <Shashank.Suryanarayana@elastic.co >
2025-02-25 10:04:04 -03:00
bc3e12da38
[Rule Tuning] Adapt Rules to work with Sysmon ( #4480 )
...
* [Rule Tuning] Remove Sysmon from rules that would never trigger based on its events
* bump updated_date
* Update rules/windows/lateral_movement_incoming_wmi.toml
* Update Logic to support sysmon data
* Update command_and_control_tool_transfer_via_curl.toml
2025-02-25 09:54:18 -03:00
8e3ad57672
Update defense_evasion_via_filter_manager.toml ( #4493 )
2025-02-25 09:29:36 +00:00
c0f12ddecf
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags ( #4464 )
...
* [Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags
* Format & order
* Update pyproject.toml
* Update credential_access_cookies_chromium_browsers_debugging.toml
2025-02-19 12:54:31 -03:00
b951e86a55
[Rule Tuning] Account Configured with Never-Expiring Password ( #4459 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-02-17 07:19:33 -03:00
15177246cc
[Rule Tuning] Windows - Improve Index Pattern Consistency ( #4462 )
2025-02-17 07:04:34 -03:00
5155f47b86
[Rule Tuning] Event Aggregation - Fix event.action & event.type conditions ( #4445 )
...
* [Rule Tuning] Event Aggregation - Fix `event.action` & `event.type` conditions
* .
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-02-07 18:42:28 -03:00
27e8b85840
Update execution_windows_script_from_internet.toml ( #4452 )
2025-02-07 14:52:56 +00:00
be54140485
[Rule Tuning] SMB Connections via LOLBin or Untrusted Process ( #4444 )
2025-02-05 17:32:57 -03:00
3e0ba33749
[Rule Tuning] Remote Execution via File Shares ( #4448 )
2025-02-05 14:51:47 -03:00
Samirbous