c031bb501d
[Rule tuning] SSH Authorized Keys File Modification ( #1955 )
2022-05-09 07:50:27 -08:00
03836d45fa
[New Rule] Potential Local NTLM Relay via HTTP ( #1947 )
...
* [New Rule] Potential Local NTLM Relay via HTTP
Detect attempt to elevate privileges via coercing a privileged service to connect to a local rogue HTTP endpoint, leading to NTLM relay, example of logs while testing https://github.com/med0x2e/NTLMRelay2Self (step 5):
* Update credential_access_relay_ntlm_auth_via_http_spoolss.toml
* Update credential_access_relay_ntlm_auth_via_http_spoolss.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-05-06 21:07:27 +02:00
e9f5585a9f
[Rule Tuning] Update Rule Content Changes from Security Docs Team ( #1945 )
...
* updated content to reflect changes from Security Docs team
* Update rules/linux/execution_flock_binary.toml
* Update rules/linux/execution_expect_binary.toml
* TOML linting
* added escape for crdential_access_spn_attribute_modified.toml
2022-05-06 13:21:12 -04:00
3f047b987e
[New Rule] Service Creation via Local Kerberos Authentication ( #1941 )
...
* [New Rule] Suspicious Service Creation via Local Kerberos Relay over LDAP
This rule will catch also the suspicious service that was created leveraging the imported kerberos ticket https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82 which makes triage easier :
DATA :
```
"sequences" : [
{
"join_keys" : [
"6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"0xefac5f"
],
"events" : [
{
"_index" : ".ds-logs-system.security-default-2022.04.12-000003",
"_id" : "XAy1YoABQhClK0XGpqaL",
"_source" : {
"agent" : {
"name" : "02694w-win10",
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"type" : "filebeat",
"ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04",
"version" : "8.0.0"
},
"process" : {
"name" : "-",
"pid" : 0,
"executable" : "-"
},
"winlog" : {
"computer_name" : "02694w-win10.threebeesco.com",
"process" : {
"pid" : 688,
"thread" : {
"id" : 5160
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0x0",
"type" : "Network"
},
"channel" : "Security",
"event_data" : {
"LogonGuid" : "{82d3503b-9dac-ab6d-b045-8877b5aab051}",
"TargetOutboundDomainName" : "-",
"VirtualAccount" : "%%1843",
"LogonType" : "3",
"TransmittedServices" : "-",
"SubjectLogonId" : "0x0",
"LmPackageName" : "-",
"TargetOutboundUserName" : "-",
"KeyLength" : "0",
"RestrictedAdminMode" : "-",
"TargetLogonId" : "0xefac5f",
"SubjectUserName" : "-",
"TargetLinkedLogonId" : "0x0",
"ElevatedToken" : "%%1842",
"SubjectDomainName" : "-",
"ImpersonationLevel" : "%%1833",
"TargetUserName" : "Administrator",
"TargetDomainName" : "THREEBEESCO.COM",
"LogonProcessName" : "Kerberos",
"SubjectUserSid" : "S-1-0-0",
"TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500",
"AuthenticationPackageName" : "Kerberos"
},
"opcode" : "Info",
"version" : 2,
"record_id" : "59330",
"task" : "Logon",
"event_id" : "4624",
"provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"version" : "8.0.0",
"snapshot" : false
},
"source" : {
"port" : 50494,
"ip" : "127.0.0.1",
"domain" : "-"
},
"message" : """An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-308926384-506822093-3341789130-500
Account Name: Administrator
Account Domain: THREEBEESCO.COM
Logon ID: 0xEFAC5F
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {82d3503b-9dac-ab6d-b045-8877b5aab051}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 127.0.0.1
Source Port: 50494
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-04-25T21:09:04.559Z",
"ecs" : {
"version" : "1.12.0"
},
"related" : {
"ip" : [
"127.0.0.1"
],
"user" : [
"Administrator"
]
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"host" : {
"hostname" : "02694w-win10",
"os" : {
"build" : "18363.815",
"kernel" : "10.0.18362.815 (WinBuild.160101.0800)",
"name" : "Windows 10 Enterprise",
"family" : "windows",
"type" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"fe80::7587:a5c1:5a7b:68f6",
"172.16.66.25"
],
"name" : "02694w-win10.threebeesco.com",
"id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"mac" : [
"00:50:56:03:c6:93"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-04-25T21:51:53Z",
"code" : "4624",
"provider" : "Microsoft-Windows-Security-Auditing",
"kind" : "event",
"created" : "2022-04-25T21:51:15.561Z",
"action" : "logged-in",
"category" : [
"authentication"
],
"type" : [
"start"
],
"dataset" : "system.security",
"outcome" : "success"
},
"user" : {
"domain" : "THREEBEESCO.COM",
"name" : "Administrator",
"id" : "S-1-5-21-308926384-506822093-3341789130-500"
}
}
},
{
"_index" : ".ds-logs-system.security-default-2022.04.12-000003",
"_id" : "Xwy1YoABQhClK0XGpqaL",
"_source" : {
"agent" : {
"name" : "02694w-win10",
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04",
"type" : "filebeat",
"version" : "8.0.0"
},
"winlog" : {
"computer_name" : "02694w-win10.threebeesco.com",
"process" : {
"pid" : 688,
"thread" : {
"id" : 5160
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0xefac5f"
},
"channel" : "Security",
"event_data" : {
"ServiceAccount" : "LocalSystem",
"SubjectUserName" : "Administrator",
"ServiceStartType" : "3",
"ServiceName" : "KrbSCM",
"ServiceType" : "0x10",
"SubjectDomainName" : "3B",
"SubjectLogonId" : "0xefac5f",
"SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-500",
"ServiceFileName" : "\"C:\\Users\\lgreen\\Downloads\\KrbRelayUp.exe\" system 1"
},
"opcode" : "Info",
"record_id" : "59331",
"task" : "Security System Extension",
"event_id" : "4697",
"provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"version" : "8.0.0",
"snapshot" : false
},
"message" : """A service was installed in the system.
Subject:
Security ID: S-1-5-21-308926384-506822093-3341789130-500
Account Name: Administrator
Account Domain: 3B
Logon ID: 0xEFAC5F
Service Information:
Service Name: KrbSCM
Service File Name: "C:\Users\lgreen\Downloads\KrbRelayUp.exe" system 1
Service Type: 0x10
Service Start Type: 3
Service Account: LocalSystem""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-04-25T21:09:04.561Z",
"ecs" : {
"version" : "1.12.0"
},
"related" : {
"user" : [
"Administrator"
]
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"service" : {
"name" : "KrbSCM",
"type" : "Win32 Own Process"
},
"host" : {
"hostname" : "02694w-win10",
"os" : {
"build" : "18363.815",
"kernel" : "10.0.18362.815 (WinBuild.160101.0800)",
"name" : "Windows 10 Enterprise",
"family" : "windows",
"type" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"fe80::7587:a5c1:5a7b:68f6",
"172.16.66.25"
],
"name" : "02694w-win10.threebeesco.com",
"id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"mac" : [
"00:50:56:03:c6:93"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-04-25T21:51:53Z",
"code" : "4697",
"provider" : "Microsoft-Windows-Security-Auditing",
"created" : "2022-04-25T21:51:15.561Z",
"kind" : "event",
"action" : "service-installed",
"category" : [
"iam",
"configuration"
],
"type" : [
"admin",
"change"
],
"dataset" : "system.security",
"outcome" : "success"
},
"user" : {
"domain" : "3B",
"name" : "Administrator",
"id" : "S-1-5-21-308926384-506822093-3341789130-500"
}
}
}
]
````
* Update privilege_escalation_krbrelayup_service_creation.toml
* removed duplicate SubjectLogonId from non ecs fields list
2022-04-29 14:36:28 +02:00
34655374c1
[New Rule] AWS Redshift Cluster Creation ( #1921 )
...
* Add rule for Redshift data warehouse creation.
* Add fp block.
* Add AWS integration metadata.
* Add timestamp override.
* Add note.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update description for redshift instance creation.
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-04-28 14:43:26 -04:00
f050b0ce0c
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #1939 )
...
* [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created
* Update non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-27 09:09:25 -03:00
88f71233c9
Detection of suspicious crontab creation or modification ( #1938 )
...
* Detection of suspicious crontab creation or modification
* Update rules/macos/persistence_crontab_creation.toml
* Update rules/macos/persistence_crontab_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/persistence_crontab_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/persistence_crontab_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-27 12:08:32 +05:30
a0672c7d2a
[New Rule] Potential Privileged Escalation via KrbRelayUp ( #1940 )
...
* [New Rule] Potential Privileged Escalation via KrbRelayUp
Identifies a suspicious local successful logon event where the Logon Package is kerberos, the remote address is set to localhost and the target user SID is the builtin local Administrator account, this may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from filtered administrator token to a token with full System privileges.
https://github.com/Dec0ne/KrbRelayUp
DATA :
```
{
"_index" : ".ds-logs-system.security-default-2022.04.12-000003",
"_id" : "Cwy1YoABQhClK0XGfqEU",
"_source" : {
"agent" : {
"name" : "02694w-win10",
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"type" : "filebeat",
"ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04",
"version" : "8.0.0"
},
"process" : {
"name" : "-",
"pid" : 0,
"executable" : "-"
},
"winlog" : {
"computer_name" : "02694w-win10.corpcorp.com",
"process" : {
"pid" : 688,
"thread" : {
"id" : 9384
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0x0",
"type" : "Network"
},
"channel" : "Security",
"event_data" : {
"LogonGuid" : "{daac0d7c-3273-752c-bf5d-ea1c60851819}",
"TargetOutboundDomainName" : "-",
"VirtualAccount" : "%%1843",
"LogonType" : "3",
"TransmittedServices" : "-",
"SubjectLogonId" : "0x0",
"LmPackageName" : "-",
"TargetOutboundUserName" : "-",
"KeyLength" : "0",
"RestrictedAdminMode" : "-",
"TargetLogonId" : "0xebd3d4",
"SubjectUserName" : "-",
"TargetLinkedLogonId" : "0x0",
"ElevatedToken" : "%%1842",
"SubjectDomainName" : "-",
"TargetUserName" : "Administrator",
"ImpersonationLevel" : "%%1833",
"LogonProcessName" : "Kerberos",
"TargetDomainName" : "CORPCORP.COM",
"SubjectUserSid" : "S-1-0-0",
"AuthenticationPackageName" : "Kerberos",
"TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500"
},
"opcode" : "Info",
"version" : 2,
"record_id" : "59063",
"task" : "Logon",
"event_id" : "4624",
"provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}",
"activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a",
"version" : "8.0.0",
"snapshot" : false
},
"source" : {
"port" : 50480,
"ip" : "127.0.0.1",
"domain" : "-"
},
"message" : """An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes
Impersonation Level: Impersonation
New Logon:
Security ID: S-1-5-21-308926384-506822093-3341789130-500
Account Name: Administrator
Account Domain: CORPCORP.COM
Logon ID: 0xEBD3D4
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {daac0d7c-3273-752c-bf5d-ea1c60851819}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: -
Source Network Address: 127.0.0.1
Source Port: 50480
Detailed Authentication Information:
Logon Process: Kerberos
Authentication Package: Kerberos
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The impersonation level field indicates the extent to which a process in the logon session can impersonate.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-04-25T21:07:15.306Z",
"ecs" : {
"version" : "1.12.0"
},
"related" : {
"ip" : [
"127.0.0.1"
],
"user" : [
"Administrator"
]
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"host" : {
"hostname" : "02694w-win10",
"os" : {
"build" : "18363.815",
"kernel" : "10.0.18362.815 (WinBuild.160101.0800)",
"name" : "Windows 10 Enterprise",
"family" : "windows",
"type" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"fe80::7587:a5c1:5a7b:68f6",
"172.16.66.25"
],
"name" : "02694w-win10.corpcorp.com",
"id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160",
"mac" : [
"00:50:56:03:c6:93"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-04-25T21:51:43Z",
"code" : "4624",
"provider" : "Microsoft-Windows-Security-Auditing",
"kind" : "event",
"created" : "2022-04-25T21:51:08.433Z",
"action" : "logged-in",
"category" : [
"authentication"
],
"type" : [
"start"
],
"dataset" : "system.security",
"outcome" : "success"
},
"user" : {
"domain" : "CORPCORP.COM",
"name" : "Administrator",
"id" : "S-1-5-21-308926384-506822093-3341789130-500"
}
}
}
```
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update privilege_escalation_krbrelayup_suspicious_logon.toml
* Update rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* relinted
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-27 01:39:54 +02:00
20d2e92cfe
Review & Fix Invalid References ( #1936 )
2022-04-26 17:57:15 -03:00
5bf321a505
[Rule Tuning] Exclude MS OneDrive/Teams from Component Object Model Hijacking ( #1932 )
...
* adjusted query to exclude OneDrive process name and MS Teams DLL reference in registry data strings
* adjusted formatting for altered query
* removed unecessary string used for reference
* removed unecessary parenthesis from new filters in query
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* added FileSyncConfig.exe for OneDrive, added regsvr32 to Teams DLL filter
* added investigation notes
* removed comment from original rule creation
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-04-26 11:43:33 -04:00
0943ffba5f
[Rule Tuning] Remove logs-windows.* index ( #1928 )
...
* Remove `logs-windows.*` index
* Update discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-14 09:25:44 -03:00
258418785f
MInor changes from Investigation Guides Review ( #1927 )
2022-04-13 16:53:29 -08:00
ebeb270075
[Security Content] Current Investigation Guides Review ( #1896 )
...
* Modify investigation guides
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Rewrite and apply previous reviews
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Update rules/windows/credential_access_spn_attribute_modified.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-04-12 22:05:13 -03:00
46f5af436e
[Security Content] Add Investigation Guides - 5 ( #1895 )
...
* [Security Content] Add Investigation Guides - 5
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-12 16:12:59 -08:00
3a5fceac3b
[Security Content] Add Investigation Guides - 3 ( #1836 )
...
* [Security Content] Add Investigation Guides - 3
* Adjust Investigation Guides and Config
* Adjust Config
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
2022-04-12 15:58:50 -08:00
3b6c594a22
Update discovery_net_command_system_account.toml ( #1912 )
2022-04-11 15:03:49 -03:00
9640ecb3fe
[Rule Tuning] AWS RDS Instance/Cluster Deletion ( #1916 )
...
* add RDS instance deletion to aws rule
I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection.
* Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-10 15:33:33 -04:00
290763d9bb
[Security Content] Add Investigation Guides - 4 ( #1871 )
...
* [Security Content] Add Investigation Guides - 4
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/initial_access_script_executing_powershell.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* lint
* Update persistence_user_account_creation.toml
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* .
* Fixes and lint
* .
* .
* revert modifications
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update impact_stop_process_service_threshold.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-04-10 15:37:06 -03:00
5073ef8be7
[Rule Tuning] AWS Security Group Configuration Change Detection ( #1915 )
...
* Update persistence_ec2_security_group_configuration_change_detection
Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'.
* update to improve rule coverage
I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters.
* Revert "update to improve rule coverage"
This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.
2022-04-07 14:47:09 -04:00
49074ddeaa
[Rule Tuning] Add EQL optional field syntax ( #1910 )
...
* Add optional EQL syntax
* Add min_stack_version
2022-04-05 16:32:37 -03:00
6bdfddac8e
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00
93edc44284
[Rule Tuning] Timeline Templates For Windows and Linux ( #1892 )
...
* added comprehensive file timeline to Hosts File Modified rule
* added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule
* updated rules to have generic instead of comprehensive
* updated several rules with timeline ID and timeline title values
* changed updated_date for threat intel fleet integrations
* added missing templates to timeline_templates dict in definitions.py
* added comprehensive timeline templates to alerts after definitions.py was updated
* updated rules with comprehensive timeline templates and added min stack comments and versions
* removing timeline template changes which is tracked in #1904
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Delete Pipfile
Removing pipfile
* Delete Pipfile.lock
deleting pipfile.lock
* Update rules/windows/execution_command_shell_started_by_svchost.toml
updating title
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-01 13:44:35 -04:00
e1b4a0d87c
Svchost spawning Cmd - False Positives Tuning ( #1894 )
2022-03-31 19:28:46 -03:00
8a59b49fea
[Security Content] Adjust Investigation Guides to be less generic ( #1805 )
...
* PowerShell Suspicious Script with Audio Capture Capabilities
* PowerShell Keylogging Script
* PowerShell MiniDump Script
* Potential Process Injection via PowerShell
* PowerShell Suspicious Discovery Related Windows API Functions
* Suspicious Portable Executable Encoded in Powershell Script
* PowerShell PSReflect Script
* Startup/Logon Script added to Group Policy Object
* Group Policy Abuse for Privilege Addition
* Scheduled Task Execution at Scale via GPO
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Adjust Posh desc
* .
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* .
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update privilege_escalation_group_policy_scheduled_task.toml
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-03-31 11:29:30 -03:00
a3d7427d29
[Security Content] Add Investigation Guides - 2 ( #1822 )
...
* Add Investigation Guides for Windows Rules - First half
* + 1/2
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update credential_access_mod_wdigest_security_provider.toml
* Apply suggestions from code review
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update defense_evasion_amsienable_key_mod.toml
* Update defense_evasion_amsienable_key_mod.toml
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update command_and_control_certutil_network_connection.toml
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
* Update collection_winrar_encryption.toml
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
2022-03-30 14:43:55 -03:00
8d09bca633
Re-add c89 rules ( #1900 )
2022-03-29 15:01:48 -08:00
507a23ba01
temp remove rule to readd with backport ( #1898 )
2022-03-29 14:52:04 -08:00
bcec8a4479
Linux Shell Evasion Rule Tuning ( #1878 )
...
* Linux Shell Evasion Rule Tuning
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_apt_binary.toml
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_awk_binary_shell.toml
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_c89_c99_binary.toml
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_find_binary.toml
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_gcc_binary.toml
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_mysql_binary.toml
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_nice_binary.toml
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_ssh_binary.toml
* Update execution_perl_tty_shell.toml
* Update execution_python_tty_shell.toml
* Update rules/linux/execution_apt_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_awk_binary_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_c89_c99_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_expect_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_find_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_gcc_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_mysql_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_nice_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_ssh_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-29 09:16:21 -05:00
fb40a4a8c7
Description updation across multiple rules ( #1893 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-28 22:54:37 +05:30
9ad3d39a32
Add Jamf Connect exception for macOS users enumeration rule ( #1891 )
...
* Update discovery_users_domain_built_in_commands.toml
Jamf Connect uses ldapsearch to synchronize user passwords.
* change rule update date
2022-03-28 13:13:28 -03:00
3d4eaf4caf
Adding path as stated in #1812 ( #1889 )
...
* Adding path as stated in #1812
* Bumping updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-27 08:07:38 -03:00
940689576d
[New Rule] Account configured with never Expiring Password ( #1790 )
...
* Create persistence_nopasswd_account.toml
* Update persistence_nopasswd_account.toml
* Update persistence_nopasswd_account.toml
* .
* Update persistence_dontexpirepasswd_account.toml
* Update persistence_dontexpirepasswd_account.toml
2022-03-26 08:19:28 -03:00
cdb3dd6dbe
[Security Content] Add Investigation Guides ( #1799 )
...
* Update impact_backup_file_deletion.toml
* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml
* Update defense_evasion_ms_office_suspicious_regmod.toml
* Update credential_access_posh_request_ticket.toml
* Update credential_access_disable_kerberos_preauth.toml
* Fix missing hyphen
* Update rules/windows/credential_access_posh_request_ticket.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/credential_access_posh_request_ticket.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update credential_access_posh_request_ticket.toml
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Remove extra line
* Apply suggestions from code review
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Lint and adjusts
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: benironside <91905639+benironside@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com >
2022-03-24 18:16:00 -03:00
3474f8c8e4
flock shell evasion threat ( #1863 )
...
* flock shell evasion threat
* Update rules/linux/execution_flock_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_flock_binary.toml
* Update rules/linux/execution_flock_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-24 15:52:18 -05:00
152477904f
vim shell evasion threat ( #1865 )
...
* vim shell evasion threat
* Update rules/linux/execution_vi_binary.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_vi_binary.toml
* Update rules/linux/execution_vi_binary.toml
* Update rules/linux/execution_vi_binary.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-24 15:37:20 -05:00
df7bed4408
[New Rule] User account exposed to Kerberoasting ( #1789 )
...
* Create credential_access_spn_attribute_modified.toml
* Update credential_access_spn_attribute_modified.toml
* Update non-ecs-schema.json
* Update rules/windows/credential_access_spn_attribute_modified.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-03-23 16:31:47 -03:00
c254d0de8b
[New Rule] Suspicious Remote Registry Access via SeBackupPrivilege ( #1783 )
...
* [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege
https://github.com/mpgn/BackupOperatorToDA
https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp
Detection mainly occurs on AD/DC side :
EQL
```
sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m
[iam where event.action == "logged-in-special" and
winlog.event_data.PrivilegeList : "SeBackupPrivilege"]
[any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"]
```
```
"sequences" : [
{
"join_keys" : [
"83989f29-8447-4b3c-a54b-4a0f7e5a4872",
"0x2a23a5"
],
"events" : [
{
"_index" : ".ds-logs-system.security-default-2022.02.11-000001",
"_id" : "L68HAn8BQQK22TUvoE_k",
"_source" : {
"agent" : {
"name" : "01566s-win16-ir",
"id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
"type" : "filebeat",
"ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8",
"version" : "8.0.0"
},
"winlog" : {
"computer_name" : "01566s-win16-ir.threebeesco.com",
"process" : {
"pid" : 624,
"thread" : {
"id" : 756
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0x2a23a5"
},
"channel" : "Security",
"event_data" : {
"SubjectUserName" : "samir",
"SubjectDomainName" : "3B",
"SubjectLogonId" : "0x2a23a5",
"PrivilegeList" : [
"SeBackupPrivilege",
"SeRestorePrivilege"
],
"SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106"
},
"opcode" : "Info",
"record_id" : "2987813",
"task" : "Special Logon",
"event_id" : "4672",
"provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
"version" : "8.0.0",
"snapshot" : false
},
"message" : """Special privileges assigned to new logon.
Subject:
Security ID: S-1-5-21-308926384-506822093-3341789130-220106
Account Name: samir
Account Domain: 3B
Logon ID: 0x2A23A5
Privileges: SeBackupPrivilege
SeRestorePrivilege""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-02-16T10:15:26.330Z",
"ecs" : {
"version" : "1.12.0"
},
"related" : {
"user" : [
"samir"
]
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"host" : {
"hostname" : "01566s-win16-ir",
"os" : {
"build" : "14393.3659",
"kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)",
"name" : "Windows Server 2016 Datacenter",
"type" : "windows",
"family" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"172.16.66.36",
"fe80::ffff:ffff:fffe",
"fe80::5efe:ac10:4224"
],
"name" : "01566s-win16-ir.threebeesco.com",
"id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872",
"mac" : [
"00:50:56:24:6c:d2",
"00:00:00:00:00:00:00:e0",
"00:00:00:00:00:00:00:e0"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-02-16T10:15:28Z",
"code" : "4672",
"provider" : "Microsoft-Windows-Security-Auditing",
"created" : "2022-02-16T10:15:27.675Z",
"kind" : "event",
"action" : "logged-in-special",
"category" : [
"iam"
],
"type" : [
"admin"
],
"dataset" : "system.security",
"outcome" : "success"
},
"user" : {
"domain" : "3B",
"name" : "samir",
"id" : "S-1-5-21-308926384-506822093-3341789130-220106"
}
}
},
{
"_index" : ".ds-logs-system.security-default-2022.02.11-000001",
"_id" : "Mq8HAn8BQQK22TUvoE_k",
"_source" : {
"agent" : {
"name" : "01566s-win16-ir",
"id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
"ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8",
"type" : "filebeat",
"version" : "8.0.0"
},
"winlog" : {
"computer_name" : "01566s-win16-ir.threebeesco.com",
"process" : {
"pid" : 4,
"thread" : {
"id" : 1176
}
},
"keywords" : [
"Audit Success"
],
"logon" : {
"id" : "0x2a23a5"
},
"channel" : "Security",
"event_data" : {
"ShareName" : """\\*\IPC$""",
"IpPort" : "50071",
"SubjectLogonId" : "0x2a23a5",
"AccessMask" : "0x12019f",
"ObjectType" : "File",
"SubjectUserName" : "samir",
"AccessReason" : "-",
"SubjectDomainName" : "3B",
"IpAddress" : "172.16.66.25",
"AccessMaskDescription" : [
"List Object",
"Read Property",
"Create Child",
"Control Access",
"Delete Child",
"List Contents",
"SELF",
"SYNCHRONIZE",
"READ_CONTROL"
],
"RelativeTargetName" : "winreg",
"AccessList" : """%%1538
%%1541
%%4416
%%4417
%%4418
%%4419
%%4420
%%4423
%%4424
""",
"SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106"
},
"opcode" : "Info",
"record_id" : "2987816",
"event_id" : "5145",
"task" : "Detailed File Share",
"provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}",
"api" : "wineventlog",
"provider_name" : "Microsoft-Windows-Security-Auditing"
},
"log" : {
"level" : "information"
},
"elastic_agent" : {
"id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683",
"version" : "8.0.0",
"snapshot" : false
},
"message" : """A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: S-1-5-21-308926384-506822093-3341789130-220106
Account Name: samir
Account Domain: 3B
Logon ID: 0x2A23A5
Network Information:
Object Type: File
Source Address: 172.16.66.25
Source Port: 50071
Share Information:
Share Name: \\*\IPC$
Share Path:
Relative Target Name: winreg
Access Request Information:
Access Mask: 0x12019F
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
Access Check Results:
-""",
"input" : {
"type" : "winlog"
},
"@timestamp" : "2022-02-16T10:15:26.336Z",
"ecs" : {
"version" : "1.12.0"
},
"data_stream" : {
"namespace" : "default",
"type" : "logs",
"dataset" : "system.security"
},
"host" : {
"hostname" : "01566s-win16-ir",
"os" : {
"build" : "14393.3659",
"kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)",
"name" : "Windows Server 2016 Datacenter",
"family" : "windows",
"type" : "windows",
"version" : "10.0",
"platform" : "windows"
},
"ip" : [
"172.16.66.36",
"fe80::ffff:ffff:fffe",
"fe80::5efe:ac10:4224"
],
"name" : "01566s-win16-ir.threebeesco.com",
"id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872",
"mac" : [
"00:50:56:24:6c:d2",
"00:00:00:00:00:00:00:e0",
"00:00:00:00:00:00:00:e0"
],
"architecture" : "x86_64"
},
"event" : {
"agent_id_status" : "verified",
"ingested" : "2022-02-16T10:15:28Z",
"code" : "5145",
"provider" : "Microsoft-Windows-Security-Auditing",
"kind" : "event",
"created" : "2022-02-16T10:15:27.675Z",
"action" : "Detailed File Share",
"dataset" : "system.security",
"outcome" : "success"
}
}
}
]
},
```
* Update non-ecs-schema.json
* Update rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-03-23 19:42:03 +01:00
46c2383e5b
[New Rule] Okta User Session Impersonation ( #1867 )
...
* [New Rule] Okta User Session Impersonation
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-03-22 16:11:29 -08:00
2ed97d2e8c
[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion ( #1833 )
...
* Adding event.provider
* Removing new line
* Updating updated_date field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-03-22 20:36:53 -03:00
22367d3702
crash shell evasion threat ( #1861 )
2022-03-22 18:46:05 +05:30
2ab5a1f44a
[New Rule] cpulimit shell evasion threat ( #1851 )
...
* cpulimit shell evasion threat
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/execution_cpulimit_binary.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-03-21 12:16:53 -05:00
096723b2a1
[Rule Tuning] Symbolic Link to Shadow Copy Created ( #1830 )
...
* fixed duplicated file name
* deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied
* moved rule back to production, added investigation notes and sequencing to EQL query
* added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes
* updating with minor changes
* adjusted related rules
* adjusted investigation notes
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* TOML linted and adjusted updated date
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-03-18 11:08:29 -04:00
7feebc2c10
Updation of Mitre Tactic and Threats ( #1850 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-18 15:06:24 +05:30
22dd7f0ada
Deprecate PrintNightmare Rules ( #1852 )
2022-03-17 19:39:36 -03:00
a6edb7cfcf
Update defense_evasion_posh_process_injection.toml ( #1838 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-17 19:37:42 -03:00
b492258fb0
[New Rule] busybox shell evasion threat ( #1842 )
...
* busybox shell evasion threat
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-03-17 09:54:46 +05:30
f7735df1d5
[New Rule] c89/c99 shell evasion threat ( #1840 )
...
* c88/c99 shell evasion threat
2022-03-16 23:06:34 +05:30
e0f8f61ca0
Update persistence_user_account_added_to_privileged_group_ad.toml ( #1845 )
2022-03-16 13:06:04 -03:00
b5f06f455c
Update defense_evasion_microsoft_defender_tampering.toml ( #1837 )
2022-03-14 20:07:39 -03:00
53fbc50ea1
[New Rule] AdminSDHolder SDProp Exclusion Added ( #1795 )
...
* AdminSDHolder SDProp Exclusion Added Initial Rule
* Update persistence_sdprop_exclusion_dsheuristics.toml
* Update rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-10 14:17:01 -03:00
Justin Ibarra