sigma-rules

Author	SHA1	Message	Date
Justin Ibarra	cc01d3fb1a	Add support for restricted fields (#2053 ) * Add support for restricted fields (fields valid only in min/max stack versions) * add test to ensure rule backports wont exceed min compat	2022-06-27 10:02:15 -05:00
Mika Ayenson	4ef1a1a627	Update cli documentation for search-alerts (#2051 ) * Add cli documentation for search-alerts and table fields	2022-06-24 09:58:58 -04:00
Mika Ayenson	3f6be4155c	test automatically prevent future merges when a backport fails (#1909 ) automatically prevent future merges when a backport fails	2022-06-23 15:10:26 -04:00
Mika Ayenson	4fdd978183	test automatically prevent future merges when a backport fails (#1909 ) automatically prevent future merges when a backport fails	2022-06-23 14:59:25 -04:00
github-actions[bot]	fd9c9f8abf	Locked versions for releases: 7.16,8.0,8.1,8.2,8.3 (#2041 ) Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com>	2022-06-17 11:44:07 -04:00
shashank-elastic	2ee23bd80f	[Rule tuning] existing strace activity rule. (#2028 ) * Update description and MITTRE Attack details	2022-06-16 17:18:48 +05:30
Jonhnathan	c8ff1dc9cb	Update discovery_remote_system_discovery_commands_windows.toml (#2033 )	2022-06-14 10:50:59 -03:00
Isai	63fda01fdd	[New Rule] Kubernetes execution_user_exec_to_pod (#1979 ) * Create execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml * Update non-ecs-schema.json * Update execution_user_exec_to_pod.toml * Update rules/integrations/kubernetes/execution_user_exec_to_pod.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * Update execution_user_exec_to_pod.toml * toml-linted file and add to false positive toml-linted the file and added to the false positive description * Create notepad.sct Added this back into the repo, deleted by mistake. * added min_stack_version based on integration min stack version determined by integration support of necessary fields Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-06-09 17:52:45 -04:00
Justin Ibarra	744f56d98e	[Bug] resolves bug in Rule version methods (#2021 ) * [Bug] resolves bug in Rule version methods * comment out unused code with notes	2022-06-07 15:40:46 -08:00
Jonhnathan	3aa53fc6c5	[Rule Tuning] M365 - Remove event.outcome condition from Auth Events (#2004 ) * Remove event.outcome condition * Update credential_access_microsoft_365_brute_force_user_account_attempt.toml * Revert "Update credential_access_microsoft_365_brute_force_user_account_attempt.toml" This reverts commit c7e7c976174a62e6b50139291e8f7f1a34e7beab. Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-06-03 14:24:14 -03:00
Jonhnathan	b6631f200e	Update persistence_sdprop_exclusion_dsheuristics.toml (#2017 )	2022-06-03 14:22:04 -03:00
Jonhnathan	f857e009c5	Adds logs-system.* index pattern (#2016 )	2022-06-03 13:56:54 -03:00
Justin Ibarra	e850f39526	[Bug] Fix test_matrix_to_lock_version_defaults test (#2014 )	2022-06-02 16:34:54 -08:00
Justin Ibarra	f57950a3c9	Collapse unsupported previous version entries (#2013 ) * Collapse unsupported previous version entries * drop the last entry in the matrix test	2022-06-02 15:18:12 -08:00
Terrance DeJesus	35b1a69ff5	Prep for Creation of 8.4 Branch (#2001 ) * prepping for 8.4 branch * adjusted schemas init file * adjusted target matrix to only backport to 7.16, updated api schemas * adjusted the lock-versions workflow to account for 7.16 and up support only * Add test for version lock to schema map correlation * decouple from static 7.13 references * keep patch version for lock * Update detection_rules/etc/packages.yml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-06-02 14:59:18 -04:00
shashank-elastic	f02325fe2f	[Rule Tuning] Add MITRE Details to exisisting hpining activity rule. (#2012 ) * Add MITRE Details to existing hping activity rule.	2022-06-02 10:36:23 +05:30
shashank-elastic	98a85ddcee	Linux binary(s) ftp shell evasion threat (#2007 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-06-01 22:07:52 +05:30
Samirbous	d6e96a83d5	[New Rule] Suspicious Microsoft Diagnostics Wizard Execution (#2005 ) * [New Rule] Suspicious Microsoft Diagnostics Wizard Execution https://lolbas-project.github.io/lolbas/Binaries/Msdt/ https://twitter.com/nao_sec/status/1530196847679401984 * Update rules/windows/defense_evasion_proxy_execution_via_msdt.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-06-01 17:02:47 +02:00
Jonhnathan	27f5c2e695	[Security Content] 8.3 Add Investigation Guides - 3 (#1990 ) * [Security Content] 8.3 Add Investigation Guides - 3 * bump date * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co>	2022-05-31 12:57:02 -03:00
Jonhnathan	e5d3c6329c	[Security Content] 8.3 - Add Investigation Guides 2 (#1989 ) * [Security Content] 8.3 - Add Investigation Guides 2 - Initial Commit * . * Add Related rules * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * . * . * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co>	2022-05-31 12:54:42 -03:00
Samirbous	bfea11c99f	[Rule Tuning] Suspicious MS Office Child Process (#2003 ) added msdt.exe as a response to this in the wild 0day (works without vba and on latest office) -> https://twitter.com/nao_sec/status/1530196847679401984 https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection	2022-05-31 14:20:51 +02:00
Jonhnathan	1f8813d02f	[Promote Rule] Potential Invoke-Mimikatz PowerShell Script (#1993 ) * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-05-25 17:02:21 -03:00
Justin Ibarra	0428e161a8	Refresh ECS/beats schemas up to 8.2 (#1995 )	2022-05-25 11:51:43 -08:00
Mika Ayenson	e1266a6fd3	Skip previous validation on pre/post load/dump (#1942 ) * Build out the dataclasses for a base entry and version lock explicitly * Ensure previous field does not have a nested previous * Test validation on version lock for previous fields.	2022-05-25 13:34:03 -04:00
Terrance DeJesus	cdc5c7244a	[New Rule] Elastic Agent Stopped (#1991 ) * new rule for detecting if elastic agent has been stopped * adjusted query based on feedback; added powershell, taskkill, pskill and processhacker	2022-05-25 13:16:21 -04:00
shashank-elastic	fd7a6d63b0	[Rule tuning] Linux binary(s) shell evasion threat * Linux binary(s) git shell evasion threat	2022-05-25 19:21:08 +05:30
shashank-elastic	51b2d9da4b	[Rule tuning] Linux binary(s) shell evasion threat (#1957 ) * Linux binary(s) shell evasion threat Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-05-25 08:32:53 +05:30
Justin Ibarra	72c186b30b	[Rule tuning] Whitespace Padding in Process Command Line (#1967 ) * [Rule tuning] Whitespace Padding in Process Command Line * bump updated_date * update comment Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-05-23 14:33:48 -05:00
Justin Ibarra	1840a638c8	[Rule tuning] Unusual Process Execution - Temp (#1968 ) Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2022-05-23 11:04:35 -04:00
Bobby Filar	9a739b7e4c	Modifying rules assoc w/ deprecation of v2 ML jobs (#1846 ) * modifying rules assoc w/ deprecation of v2 ML jobs * modified updated_date field * fixed machine_learning_job_id and added min_stack_version * replacing rest of deprecated jobs with new naming convention * Update ml_suspicious_login_activity.toml * removing rules assoc w/ deprecated ML jobs * Update rules/ml/ml_linux_anomalous_compiler_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/ml/ml_linux_anomalous_compiler_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * updated ml job rules to reflect 8.3 changes * updating min_stack_version for ml detection rules Co-authored-by: Craig Chamberlain <randomuserid@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Apoorva Joshi <30438249+ajosh0504@users.noreply.github.com>	2022-05-20 13:02:27 -07:00
Mika Ayenson	77966473d1	[Rule tuning] add support for osx, zsh, and expand tampering techniques (#1974 ) * add support for osx, zsh, and expand tampering techniques * migrate to cross-platform and add macOS tag	2022-05-20 11:10:56 -04:00
Jonhnathan	a1bdf2b564	[Security Content] 8.3 - Add Investigation Guides (#1937 ) * 8.3 - Add Investigation Guides * Apply suggestions * Apply the refactor * Apply suggestions from Samir * . Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-05-19 13:23:35 -03:00
Mika Ayenson	92640f517a	[Rule tuning] check for anything found in the emondClient directory (#1977 ) * check for anything found in the emondClient directory and add reference	2022-05-18 12:33:23 -04:00
Jonhnathan	817b97f428	[Security Content] Refactor Existing Investigation Guides (#1959 ) * Initial commit * Update Investigation guides - security-docs review * Update command_and_control_dns_tunneling_nslookup.toml * Update defense_evasion_amsienable_key_mod.toml * Apply security-docs review * Remove dot * Update rules/windows/command_and_control_rdp_tunnel_plink.toml Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply changes from review * Apply the suggestion Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>	2022-05-18 12:59:39 -03:00
Colson Wilhoit	d12f45c6ba	[Rule Tuning] Update Rule Name: Suspicious Network Connection Attempt Sequence by Root (#1983 ) * [Rule Tuning] Update Rule Name * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml	2022-05-17 17:41:05 -05:00
Terrance DeJesus	c89f423961	[New Rule] Suspicious Outbound Network Connect Sequence by Root (#1975 ) * adding initial rule * adjusted UUID * removed event.ingested as query is a sequence * changed file name to match mitre ATT&CK tactic * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * TOML linted * Update command_and_control_connection_attempt_by_non_ssh_root_session.toml Just edited a couple grammar things. Looks good * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml * added additional tactic for privilege escalation and linted * formatted query to be more readable Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2022-05-16 16:22:33 -05:00
Jonhnathan	27e6632ecd	Update command_and_control_common_webservices.toml (#1970 )	2022-05-16 14:04:26 -03:00
Terrance DeJesus	1704924f7b	[New Rule] Abnormal Process ID File Creation (#1964 ) * adding rule detection * changed Rule ID * Update rules/linux/execution_abnormal_process_id_file_created.toml Adding reboot extension as well. Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf * Update rules/linux/execution_abnormal_process_id_file_created.toml Adding reboot to description. Reference: https://exatrack.com/public/Tricephalic_Hellkeeper.pdf * Update rules/linux/execution_abnormal_process_id_file_created.toml Added additional reference to similar threat. * Update rules/linux/execution_abnormal_process_id_file_created.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/execution_abnormal_process_id_file_created.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added rule for a process starting where the executable's name represented a PID file * Adjusted user.id value from integer to string * Added simple investigation notes and osquery coverage * TOML linting * Updated date to reflect recent changes Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-05-12 10:38:27 -04:00
Samirbous	19ff825a91	[New rule] Remote Computer Account DnsHostName Update (#1962 ) * [New rule] Remote Computer Account DnsHostName Update Identifies remote update to a computer account DnsHostName attribute, if the new value is set a valid domain controller DNS hostname and the subject computer name is not a domain controller then it's high likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges : * added MS ref url * Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-05-11 19:40:34 +02:00
Terrance DeJesus	5f447a63a2	[New Rule] Executable Launched from Shared Memory Directory (#1961 ) * new rule to check for executables launched from shared memory directory * added references and false positive instances * Update rules/linux/execution_shared_memory_executable.toml * Update rules/linux/execution_shared_memory_executable.toml * Update rules/linux/execution_shared_memory_executable.toml * adjusted process to account for var run and lock directories * TOML lint and query formatting * TOML lint and query formatting * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * Update rules/linux/execution_process_started_in_shared_memory_directory.toml * added BPFDoor tag to be threat specific * TOML linting and adjusted risk because of root requirement Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-05-11 12:18:55 -04:00
Justin Ibarra	c031bb501d	[Rule tuning] SSH Authorized Keys File Modification (#1955 )	2022-05-09 07:50:27 -08:00
Samirbous	03836d45fa	[New Rule] Potential Local NTLM Relay via HTTP (#1947 ) * [New Rule] Potential Local NTLM Relay via HTTP Detect attempt to elevate privileges via coercing a privileged service to connect to a local rogue HTTP endpoint, leading to NTLM relay, example of logs while testing https://github.com/med0x2e/NTLMRelay2Self (step 5): * Update credential_access_relay_ntlm_auth_via_http_spoolss.toml * Update credential_access_relay_ntlm_auth_via_http_spoolss.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2022-05-06 21:07:27 +02:00
Terrance DeJesus	e9f5585a9f	[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 ) * updated content to reflect changes from Security Docs team * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_expect_binary.toml * TOML linting * added escape for crdential_access_spn_attribute_modified.toml	2022-05-06 13:21:12 -04:00
Justin Ibarra	8168551c59	Manually reconciled versions from forked rule package generation bug (#1950 )	2022-05-04 10:04:10 -08:00
Justin Ibarra	22679e16d2	Add delta command to determine changes to endpoint rules between tags (#1943 ) * update git tag loader to be compatible with lock validation * add diff command * default to query for missing rules	2022-05-03 12:30:11 -08:00
Mika Ayenson	6219fc06b9	Move `etc` under detection_rules (#1885 ) * Move etc directory under detection_rules * Prepend original `etc` path with `detection_rules` * Update docstrings in util and CODEOWNERS * Add resiliency to tags to account for the old directory structure * Bug fix: remove unused param caused by commit `6ed1a39efe` Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-05-02 10:11:21 -04:00
Samirbous	3f047b987e	[New Rule] Service Creation via Local Kerberos Authentication (#1941 ) * [New Rule] Suspicious Service Creation via Local Kerberos Relay over LDAP This rule will catch also the suspicious service that was created leveraging the imported kerberos ticket https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82 which makes triage easier : DATA : ``` "sequences" : [ { "join_keys" : [ "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "0xefac5f" ], "events" : [ { "_index" : ".ds-logs-system.security-default-2022.04.12-000003", "_id" : "XAy1YoABQhClK0XGpqaL", "_source" : { "agent" : { "name" : "02694w-win10", "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "type" : "filebeat", "ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04", "version" : "8.0.0" }, "process" : { "name" : "-", "pid" : 0, "executable" : "-" }, "winlog" : { "computer_name" : "02694w-win10.threebeesco.com", "process" : { "pid" : 688, "thread" : { "id" : 5160 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x0", "type" : "Network" }, "channel" : "Security", "event_data" : { "LogonGuid" : "{82d3503b-9dac-ab6d-b045-8877b5aab051}", "TargetOutboundDomainName" : "-", "VirtualAccount" : "%%1843", "LogonType" : "3", "TransmittedServices" : "-", "SubjectLogonId" : "0x0", "LmPackageName" : "-", "TargetOutboundUserName" : "-", "KeyLength" : "0", "RestrictedAdminMode" : "-", "TargetLogonId" : "0xefac5f", "SubjectUserName" : "-", "TargetLinkedLogonId" : "0x0", "ElevatedToken" : "%%1842", "SubjectDomainName" : "-", "ImpersonationLevel" : "%%1833", "TargetUserName" : "Administrator", "TargetDomainName" : "THREEBEESCO.COM", "LogonProcessName" : "Kerberos", "SubjectUserSid" : "S-1-0-0", "TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500", "AuthenticationPackageName" : "Kerberos" }, "opcode" : "Info", "version" : 2, "record_id" : "59330", "task" : "Logon", "event_id" : "4624", "provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}", "activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "version" : "8.0.0", "snapshot" : false }, "source" : { "port" : 50494, "ip" : "127.0.0.1", "domain" : "-" }, "message" : """An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-308926384-506822093-3341789130-500 Account Name: Administrator Account Domain: THREEBEESCO.COM Logon ID: 0xEFAC5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {82d3503b-9dac-ab6d-b045-8877b5aab051} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 127.0.0.1 Source Port: 50494 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-04-25T21:09:04.559Z", "ecs" : { "version" : "1.12.0" }, "related" : { "ip" : [ "127.0.0.1" ], "user" : [ "Administrator" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "02694w-win10", "os" : { "build" : "18363.815", "kernel" : "10.0.18362.815 (WinBuild.160101.0800)", "name" : "Windows 10 Enterprise", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name" : "02694w-win10.threebeesco.com", "id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac" : [ "00:50:56:03:c6:93" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-04-25T21:51:53Z", "code" : "4624", "provider" : "Microsoft-Windows-Security-Auditing", "kind" : "event", "created" : "2022-04-25T21:51:15.561Z", "action" : "logged-in", "category" : [ "authentication" ], "type" : [ "start" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "THREEBEESCO.COM", "name" : "Administrator", "id" : "S-1-5-21-308926384-506822093-3341789130-500" } } }, { "_index" : ".ds-logs-system.security-default-2022.04.12-000003", "_id" : "Xwy1YoABQhClK0XGpqaL", "_source" : { "agent" : { "name" : "02694w-win10", "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04", "type" : "filebeat", "version" : "8.0.0" }, "winlog" : { "computer_name" : "02694w-win10.threebeesco.com", "process" : { "pid" : 688, "thread" : { "id" : 5160 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0xefac5f" }, "channel" : "Security", "event_data" : { "ServiceAccount" : "LocalSystem", "SubjectUserName" : "Administrator", "ServiceStartType" : "3", "ServiceName" : "KrbSCM", "ServiceType" : "0x10", "SubjectDomainName" : "3B", "SubjectLogonId" : "0xefac5f", "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-500", "ServiceFileName" : "\"C:\\Users\\lgreen\\Downloads\\KrbRelayUp.exe\" system 1" }, "opcode" : "Info", "record_id" : "59331", "task" : "Security System Extension", "event_id" : "4697", "provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}", "activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "version" : "8.0.0", "snapshot" : false }, "message" : """A service was installed in the system. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-500 Account Name: Administrator Account Domain: 3B Logon ID: 0xEFAC5F Service Information: Service Name: KrbSCM Service File Name: "C:\Users\lgreen\Downloads\KrbRelayUp.exe" system 1 Service Type: 0x10 Service Start Type: 3 Service Account: LocalSystem""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-04-25T21:09:04.561Z", "ecs" : { "version" : "1.12.0" }, "related" : { "user" : [ "Administrator" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "service" : { "name" : "KrbSCM", "type" : "Win32 Own Process" }, "host" : { "hostname" : "02694w-win10", "os" : { "build" : "18363.815", "kernel" : "10.0.18362.815 (WinBuild.160101.0800)", "name" : "Windows 10 Enterprise", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name" : "02694w-win10.threebeesco.com", "id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac" : [ "00:50:56:03:c6:93" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-04-25T21:51:53Z", "code" : "4697", "provider" : "Microsoft-Windows-Security-Auditing", "created" : "2022-04-25T21:51:15.561Z", "kind" : "event", "action" : "service-installed", "category" : [ "iam", "configuration" ], "type" : [ "admin", "change" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "3B", "name" : "Administrator", "id" : "S-1-5-21-308926384-506822093-3341789130-500" } } } ] ```` * Update privilege_escalation_krbrelayup_service_creation.toml * removed duplicate SubjectLogonId from non ecs fields list	2022-04-29 14:36:28 +02:00
Pete Hampton	34655374c1	[New Rule] AWS Redshift Cluster Creation (#1921 ) * Add rule for Redshift data warehouse creation. * Add fp block. * Add AWS integration metadata. * Add timestamp override. * Add note. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update description for redshift instance creation. Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-04-28 14:43:26 -04:00
Jonhnathan	f050b0ce0c	[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1939 ) * [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created * Update non-ecs-schema.json Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-04-27 09:09:25 -03:00
shashank-elastic	88f71233c9	Detection of suspicious crontab creation or modification (#1938 ) * Detection of suspicious crontab creation or modification * Update rules/macos/persistence_crontab_creation.toml * Update rules/macos/persistence_crontab_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_crontab_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_crontab_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2022-04-27 12:08:32 +05:30

1 2 3 4 5 ...

1082 Commits