sigma-rules

Author	SHA1	Message	Date
Jonhnathan	c31d5ffd32	[Rule Tuning] Add EQL optional field syntax (#1910 ) * Add optional EQL syntax * Add min_stack_version (cherry picked from commit `49074ddeaa`)	2022-04-05 19:35:54 +00:00
Justin Ibarra	3311168e28	Expand timestamp override tests (#1907 ) * Expand timestamp_override tests * removed timestamp_override from eql sequence rules * add config entry for eql rules with beats index and t_o * add timestamp_override to missing fields Removed changes from: - rules/cross-platform/impact_hosts_file_modified.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit `6bdfddac8e`)	2022-04-01 23:29:22 +00:00
Terrance DeJesus	4d9124aaf7	Prep for Creation of 8.3 Branch (#1906 ) * updating with changes for 8.3 prep * adding updates * adjusted version in packages.yml Removed changes from: - etc/packages.yml (selectively cherry picked from commit `648daf1237`)	2022-04-01 21:35:45 +00:00
Terrance DeJesus	16fa48b56d	added comprehensive timeline template definitions (#1905 ) (cherry picked from commit `e72031a71a`)	2022-04-01 16:54:20 +00:00
Jonhnathan	c3b7dc58b0	Svchost spawning Cmd - False Positives Tuning (#1894 ) (cherry picked from commit `e1b4a0d87c`)	2022-03-31 22:31:11 +00:00
Jonhnathan	a078da877b	[Security Content] Adjust Investigation Guides to be less generic (#1805 ) * PowerShell Suspicious Script with Audio Capture Capabilities * PowerShell Keylogging Script * PowerShell MiniDump Script * Potential Process Injection via PowerShell * PowerShell Suspicious Discovery Related Windows API Functions * Suspicious Portable Executable Encoded in Powershell Script * PowerShell PSReflect Script * Startup/Logon Script added to Group Policy Object * Group Policy Abuse for Privilege Addition * Scheduled Task Execution at Scale via GPO * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Adjust Posh desc * . * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * . * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update privilege_escalation_group_policy_scheduled_task.toml * Update rules/windows/privilege_escalation_group_policy_iniscript.toml Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit `8a59b49fea`)	2022-03-31 14:32:15 +00:00
Jonhnathan	2ad8b32ce2	[Security Content] Add Investigation Guides - 2 (#1822 ) * Add Investigation Guides for Windows Rules - First half * + 1/2 * Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml * Update credential_access_mod_wdigest_security_provider.toml * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update defense_evasion_amsienable_key_mod.toml * Update defense_evasion_amsienable_key_mod.toml * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Update command_and_control_certutil_network_connection.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> * Update collection_winrar_encryption.toml * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> (cherry picked from commit `a3d7427d29`)	2022-03-30 17:46:34 +00:00
Colson Wilhoit	b67a0f6602	Linux Shell Evasion Rule Tuning (#1878 ) * Linux Shell Evasion Rule Tuning * Update execution_python_tty_shell.toml * Update rules/linux/execution_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_apt_binary.toml * Update rules/linux/execution_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_awk_binary_shell.toml * Update rules/linux/execution_c89_c99_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_c89_c99_binary.toml * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml * Update rules/linux/execution_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_find_binary.toml * Update rules/linux/execution_gcc_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_gcc_binary.toml * Update rules/linux/execution_mysql_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_mysql_binary.toml * Update rules/linux/execution_nice_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_nice_binary.toml * Update rules/linux/execution_ssh_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_ssh_binary.toml * Update execution_perl_tty_shell.toml * Update execution_python_tty_shell.toml * Update rules/linux/execution_apt_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_awk_binary_shell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_c89_c99_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_expect_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_find_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_gcc_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_mysql_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_nice_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_ssh_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-03-29 21:09:31 -04:00
Justin Ibarra	1dc901ba09	reset evasion rules (#1902 ) (cherry picked from commit `5214209f8d`)	2022-03-29 23:50:21 +00:00
Justin Ibarra	bd228ae2fb	Re-add c89 rules (#1900 ) (cherry picked from commit `8d09bca633`)	2022-03-29 23:04:26 +00:00
shashank-elastic	bec28db01c	Description updation across multiple rules (#1893 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `fb40a4a8c7`)	2022-03-28 17:27:16 +00:00
Damià Poquet Femenia	941b85bcdf	Add Jamf Connect exception for macOS users enumeration rule (#1891 ) * Update discovery_users_domain_built_in_commands.toml Jamf Connect uses ldapsearch to synchronize user passwords. * change rule update date (cherry picked from commit `9ad3d39a32`)	2022-03-28 16:16:07 +00:00
Stijn Holzhauer	dd65a325af	Adding path as stated in #1812 (#1889 ) * Adding path as stated in #1812 * Bumping updated_date Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit `3d4eaf4caf`)	2022-03-27 11:09:59 +00:00
Jonhnathan	0f545def6e	[New Rule] Account configured with never Expiring Password (#1790 ) * Create persistence_nopasswd_account.toml * Update persistence_nopasswd_account.toml * Update persistence_nopasswd_account.toml * . * Update persistence_dontexpirepasswd_account.toml * Update persistence_dontexpirepasswd_account.toml (cherry picked from commit `940689576d`)	2022-03-26 11:21:30 +00:00
Justin Ibarra	3622584cf3	Add kibana-update and fleet-release templates (#1887 ) (cherry picked from commit `cbeb767156`)	2022-03-26 07:46:49 +00:00
Justin Ibarra	be8ef24c5f	Add type to deprecated rules in version.lock (#1881 ) (cherry picked from commit `d71154b272`)	2022-03-25 01:44:38 +00:00
Justin Ibarra	22945ed97b	[Bug] Fix bug in version_lock.py (#1880 ) (cherry picked from commit `17ef6c558c`)	2022-03-24 23:43:37 +00:00
Jonhnathan	14a55aed05	[Security Content] Add Investigation Guides (#1799 ) * Update impact_backup_file_deletion.toml * Update credential_access_seenabledelegationprivilege_assigned_to_user.toml * Update defense_evasion_ms_office_suspicious_regmod.toml * Update credential_access_posh_request_ticket.toml * Update credential_access_disable_kerberos_preauth.toml * Fix missing hyphen * Update rules/windows/credential_access_posh_request_ticket.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/windows/credential_access_posh_request_ticket.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update credential_access_posh_request_ticket.toml * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Remove extra line * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Lint and adjusts * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: benironside <91905639+benironside@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit `cdb3dd6dbe`)	2022-03-24 21:18:19 +00:00
shashank-elastic	c2d4ec90cc	flock shell evasion threat (#1863 ) * flock shell evasion threat * Update rules/linux/execution_flock_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_flock_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `3474f8c8e4`)	2022-03-24 20:56:10 +00:00
shashank-elastic	42c6e68cc3	vim shell evasion threat (#1865 ) * vim shell evasion threat * Update rules/linux/execution_vi_binary.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_vi_binary.toml * Update rules/linux/execution_vi_binary.toml * Update rules/linux/execution_vi_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit `152477904f`)	2022-03-24 20:39:56 +00:00
Justin Ibarra	37419d94e7	Prevent changes to rule type for locked rules (#1855 ) * add rule type to the rule lock_info * add check in VersionLock; add type to version.lock * print changes only on save (cherry picked from commit `11ec9c230e`)	2022-03-24 19:58:51 +00:00
Justin Ibarra	742c3c49c8	[Bug] Version bump with previous (#1870 ) * save changes to top level for route C; verbose prints * update top level on forked rule without overriding min_stack_version * add check to ensure previous version !> current (cherry picked from commit `f4c94af994`)	2022-03-24 19:14:36 +00:00
Mika Ayenson	4e97631893	1554 update eql schemas to fail validation on text fields (#1866 ) * Ensure kql2eql conversion doesnt support `text` fields * Add unit test cases for`text` not supported in eql * test `field not recognized` in the rule_validator and output a verbose message. * use elasticsearch_type_family to lookup text mappings Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit `1f015ebe85`)	2022-03-23 20:28:03 +00:00
Jonhnathan	8282d34781	[New Rule] User account exposed to Kerberoasting (#1789 ) * Create credential_access_spn_attribute_modified.toml * Update credential_access_spn_attribute_modified.toml * Update non-ecs-schema.json * Update rules/windows/credential_access_spn_attribute_modified.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit `df7bed4408`)	2022-03-23 19:34:12 +00:00
Samirbous	cfa5bafb79	[New Rule] Suspicious Remote Registry Access via SeBackupPrivilege (#1783 ) * [New Rule] Suspicious Remote Registry Access via SeBackupPrivilege https://github.com/mpgn/BackupOperatorToDA https://raw.githubusercontent.com/Wh04m1001/Random/main/BackupOperators.cpp Detection mainly occurs on AD/DC side : EQL ``` sequence by host.id, winlog.event_data.SubjectLogonId with maxspan=1m [iam where event.action == "logged-in-special" and winlog.event_data.PrivilegeList : "SeBackupPrivilege"] [any where event.action == "Detailed File Share" and winlog.event_data.RelativeTargetName : "winreg"] ``` ``` "sequences" : [ { "join_keys" : [ "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "0x2a23a5" ], "events" : [ { "_index" : ".ds-logs-system.security-default-2022.02.11-000001", "_id" : "L68HAn8BQQK22TUvoE_k", "_source" : { "agent" : { "name" : "01566s-win16-ir", "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "type" : "filebeat", "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8", "version" : "8.0.0" }, "winlog" : { "computer_name" : "01566s-win16-ir.threebeesco.com", "process" : { "pid" : 624, "thread" : { "id" : 756 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x2a23a5" }, "channel" : "Security", "event_data" : { "SubjectUserName" : "samir", "SubjectDomainName" : "3B", "SubjectLogonId" : "0x2a23a5", "PrivilegeList" : [ "SeBackupPrivilege", "SeRestorePrivilege" ], "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106" }, "opcode" : "Info", "record_id" : "2987813", "task" : "Special Logon", "event_id" : "4672", "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "version" : "8.0.0", "snapshot" : false }, "message" : """Special privileges assigned to new logon. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-220106 Account Name: samir Account Domain: 3B Logon ID: 0x2A23A5 Privileges: SeBackupPrivilege SeRestorePrivilege""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-02-16T10:15:26.330Z", "ecs" : { "version" : "1.12.0" }, "related" : { "user" : [ "samir" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "01566s-win16-ir", "os" : { "build" : "14393.3659", "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)", "name" : "Windows Server 2016 Datacenter", "type" : "windows", "family" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "172.16.66.36", "fe80::ffff:ffff:fffe", "fe80::5efe:ac10:4224" ], "name" : "01566s-win16-ir.threebeesco.com", "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "mac" : [ "00:50:56:24:6c:d2", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-02-16T10:15:28Z", "code" : "4672", "provider" : "Microsoft-Windows-Security-Auditing", "created" : "2022-02-16T10:15:27.675Z", "kind" : "event", "action" : "logged-in-special", "category" : [ "iam" ], "type" : [ "admin" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "3B", "name" : "samir", "id" : "S-1-5-21-308926384-506822093-3341789130-220106" } } }, { "_index" : ".ds-logs-system.security-default-2022.02.11-000001", "_id" : "Mq8HAn8BQQK22TUvoE_k", "_source" : { "agent" : { "name" : "01566s-win16-ir", "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "ephemeral_id" : "26383f4e-4412-4aa4-8ed4-7e729fb593e8", "type" : "filebeat", "version" : "8.0.0" }, "winlog" : { "computer_name" : "01566s-win16-ir.threebeesco.com", "process" : { "pid" : 4, "thread" : { "id" : 1176 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x2a23a5" }, "channel" : "Security", "event_data" : { "ShareName" : """\\\IPC$""", "IpPort" : "50071", "SubjectLogonId" : "0x2a23a5", "AccessMask" : "0x12019f", "ObjectType" : "File", "SubjectUserName" : "samir", "AccessReason" : "-", "SubjectDomainName" : "3B", "IpAddress" : "172.16.66.25", "AccessMaskDescription" : [ "List Object", "Read Property", "Create Child", "Control Access", "Delete Child", "List Contents", "SELF", "SYNCHRONIZE", "READ_CONTROL" ], "RelativeTargetName" : "winreg", "AccessList" : """%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424 """, "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-220106" }, "opcode" : "Info", "record_id" : "2987816", "event_id" : "5145", "task" : "Detailed File Share", "provider_guid" : "{54849625-5478-4994-A5BA-3E3B0328C30D}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "0517bf72-e8ae-4f53-bc09-cdf3428aa683", "version" : "8.0.0", "snapshot" : false }, "message" : """A network share object was checked to see whether client can be granted desired access. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-220106 Account Name: samir Account Domain: 3B Logon ID: 0x2A23A5 Network Information: Object Type: File Source Address: 172.16.66.25 Source Port: 50071 Share Information: Share Name: \\\IPC$ Share Path: Relative Target Name: winreg Access Request Information: Access Mask: 0x12019F Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes Access Check Results: -""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-02-16T10:15:26.336Z", "ecs" : { "version" : "1.12.0" }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "01566s-win16-ir", "os" : { "build" : "14393.3659", "kernel" : "10.0.14393.3659 (rs1_release_1.200410-1813)", "name" : "Windows Server 2016 Datacenter", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "172.16.66.36", "fe80::ffff:ffff:fffe", "fe80::5efe:ac10:4224" ], "name" : "01566s-win16-ir.threebeesco.com", "id" : "83989f29-8447-4b3c-a54b-4a0f7e5a4872", "mac" : [ "00:50:56:24:6c:d2", "00:00:00:00:00:00:00:e0", "00:00:00:00:00:00:00:e0" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-02-16T10:15:28Z", "code" : "5145", "provider" : "Microsoft-Windows-Security-Auditing", "kind" : "event", "created" : "2022-02-16T10:15:27.675Z", "action" : "Detailed File Share", "dataset" : "system.security", "outcome" : "success" } } } ] }, ``` * Update non-ecs-schema.json * Update rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `c254d0de8b`)	2022-03-23 18:44:44 +00:00
Justin Ibarra	5bc3d1e2d5	[New Rule] Okta User Session Impersonation (#1867 ) * [New Rule] Okta User Session Impersonation Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `46c2383e5b`)	2022-03-23 00:13:53 +00:00
Stijn Holzhauer	99597a2ed2	[Rule Tuning] Adding event.provider to AWS WAF Rule or Rule Group Deletion (#1833 ) * Adding event.provider * Removing new line * Updating updated_date field Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `2ed97d2e8c`)	2022-03-22 23:40:22 +00:00
shashank-elastic	bbf92cec94	crash shell evasion threat (#1861 ) (cherry picked from commit `22367d3702`)	2022-03-22 13:20:12 +00:00
shashank-elastic	d4c426a022	[New Rule] cpulimit shell evasion threat (#1851 ) * cpulimit shell evasion threat * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_cpulimit_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit `2ab5a1f44a`)	2022-03-21 17:20:00 +00:00
Terrance DeJesus	d26759d5a8	[Rule Tuning] Symbolic Link to Shadow Copy Created (#1830 ) * fixed duplicated file name * deprecated Symbolic Link to Shadow Copy Created as it may be prone to FP and the intrusion steps are covered with NTDS or SAM Database File Copied * moved rule back to production, added investigation notes and sequencing to EQL query * added related rule 3bc6deaa-fbd4-433a-ae21-3e892f95624f to investigation notes * updating with minor changes * adjusted related rules * adjusted investigation notes * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * TOML linted and adjusted updated date Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> (cherry picked from commit `096723b2a1`)	2022-03-18 15:11:05 +00:00
Mika Ayenson	a951b99c13	update beats master branch ref to main (#1853 ) * update beats master branch ref to main * update filename of master beat schema to main * delete old main beats schema * rebuilt main beats archive (cherry picked from commit `84b7ce6582`)	2022-03-18 14:09:10 +00:00
shashank-elastic	b7d064d210	Updation of Mitre Tactic and Threats (#1850 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `7feebc2c10`)	2022-03-18 09:38:46 +00:00
Jonhnathan	18532b8468	Deprecate PrintNightmare Rules (#1852 ) (cherry picked from commit `22dd7f0ada`)	2022-03-17 22:41:59 +00:00
Jonhnathan	185b23e169	Update defense_evasion_posh_process_injection.toml (#1838 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `a6edb7cfcf`)	2022-03-17 22:39:54 +00:00
shashank-elastic	174add51cc	[New Rule] busybox shell evasion threat (#1842 ) * busybox shell evasion threat Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `b492258fb0`)	2022-03-17 04:26:58 +00:00
Justin Ibarra	9bc0ecbe55	Bump EQL to 0.9.12 (#1849 ) * Bump EQL to 0.9.12 * remove duplicate jsonschema (cherry picked from commit `eb2f62940d`)	2022-03-17 00:31:45 +00:00
Jonhnathan	8183b33240	Update persistence_user_account_added_to_privileged_group_ad.toml (#1845 ) (cherry picked from commit `e0f8f61ca0`)	2022-03-16 16:32:22 +00:00
Jonhnathan	1b5720caa5	Update defense_evasion_microsoft_defender_tampering.toml (#1837 ) (cherry picked from commit `b5f06f455c`)	2022-03-14 23:10:00 +00:00
Jonhnathan	944357ffd6	[New Rule] AdminSDHolder SDProp Exclusion Added (#1795 ) * AdminSDHolder SDProp Exclusion Added Initial Rule * Update persistence_sdprop_exclusion_dsheuristics.toml * Update rules/windows/persistence_sdprop_exclusion_dsheuristics.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit `53fbc50ea1`)	2022-03-10 17:19:47 +00:00
shashank-elastic	b2a6abf831	gcc shell evasion threat (#1824 ) (cherry picked from commit `c05f3c8aa3`)	2022-03-10 17:14:14 +00:00
shashank-elastic	632d7015b6	ssh shell evasion threat (#1827 ) (cherry picked from commit `b49cce9fcb`)	2022-03-10 17:11:52 +00:00
shashank-elastic	9e91249421	mysql shell evasion threat (#1823 ) (cherry picked from commit `ddbc1de45c`)	2022-03-10 17:09:25 +00:00
shashank-elastic	41c915c42e	expect shell evasion threat (#1817 ) * expect shell evasion threat * expect shell evasion threat * Update rules/linux/defense_evasion_expect_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `334aa12aaf`)	2022-03-07 20:26:43 +00:00
shashank-elastic	4cf4a66a4b	nice shell evasion threat (#1820 ) * nice shell evasion threat * Update rules/linux/defense_evasion_nice_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `2b6a357a4b`)	2022-03-07 20:02:05 +00:00
shashank-elastic	aaf1ab6bb2	[Rule Tuning] Rule description updates (#1811 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `f9503f2096`)	2022-03-07 14:06:37 +00:00
shashank-elastic	c4fea2fc00	[New Rule] Linux Restricted Shell Breakout via the Vi command (#1809 ) * new:rule:issue-1808 vi shell evasion threat * Update rules/linux/defense_evasion_vi_binary.toml * Update rules/linux/defense_evasion_vi_binary.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * new:rule:issue-1808 vi shell evasion threat * new:rule:issue-1808 vi shell evasion threat * new:rule:issue-1808 vi shell evasion threat * Update rules/linux/defense_evasion_vi_binary.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit `2a82f18e43`)	2022-03-04 19:48:40 +00:00
Apoorva Joshi	029495c16e	Updating beaconing docs (#1815 ) * Updating beaconind docs * Update beaconing.md * Update beaconing.md (cherry picked from commit `b6737aa2c3`)	2022-03-04 19:36:59 +00:00
Justin Ibarra	6120265ba4	[Github Workflows] Only generate navigator files on push to main (#1814 ) * [Github Workflows] Only generate navigator files on push to main * fix workflow logic syntax (cherry picked from commit `6653acb21c`)	2022-03-04 18:57:38 +00:00
Justin Ibarra	2faed44215	Replace `*` in navigator filenames (#1813 ) (cherry picked from commit `bb105a3c43`)	2022-03-04 17:48:46 +00:00
Justin Ibarra	5a630dd61d	Generate ATT&CK navigator layer files and links (#1787 ) * Generate attack layer files and build with package * add update-navigator-gists command * add workflow to update navigator gists on pushes to main * Add coverage readme * fix keys for links * update navigator layer names * purge gist files prior to update; add badge * Update how the navigator links are displayed * moved navigator code to dedicated and refactored to dataclasses * convert gist links to permalink versions * alphabetize; catch 404 for gist update (cherry picked from commit `254b4eb23f`)	2022-03-04 17:23:14 +00:00

1 2 3 4 5 ...

1007 Commits