security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
814 Commits 1 Branch 0 Tags
cd3cef5996e1b1522013dcda35f121f811d10f64
Commit Graph

814 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Austin Songer cd3cef5996 [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) 
* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_webshell_detection.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_system_shells_via_services.toml

* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_system_shells_via_services.toml

* Update persistence_webshell_detection.toml

* Update rules/windows/persistence_local_scheduled_task_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit ef7548f04c)
 2021-10-26 15:17:37 +00:00
Jonhnathan fa4bec7b9a [New Rule] PowerShell MiniDump Script (#1528) 
* PowerShell MiniDump Script Initial Rule

* Update credential_access_posh_minidump.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_posh_minidump.toml

* Update rules/windows/credential_access_posh_minidump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 239384497f)
 2021-10-26 15:10:20 +00:00
Jonhnathan 5ca067e3e3 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

(cherry picked from commit 4524c175c8)
 2021-10-26 15:06:32 +00:00
Austin Songer ba09596949 [New Rule] AWS Route Table Created (#1257) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_created.toml

* Update persistence_route_table_created.toml

* Update rules/persistence_route_table_created.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update persistence_route_table_created.toml

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_created.toml

* Update

* Update

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 89553d84a9)
 2021-10-26 13:26:56 +00:00
Justin Ibarra e81362e6ec Add test for improper rule demotion (released production -> development) (#1555) 
(cherry picked from commit 5a69ceb0c5)
 2021-10-20 05:48:26 +00:00
Justin Ibarra a28bb7961a Add min_stack_comments to metadata schema (#1573) 
* Add min_stack_comments to metadata schema

(cherry picked from commit 5bdf70e72c)
 2021-10-20 04:53:52 +00:00
Jonhnathan 27da0d6ed7 [New Rule] Suspicious Portable Executable Encoded in Powershell Script (#1562) 
* Create execution_posh_portable_executable.toml

* Add wildcard

* Remove the wildcard

* Update rules/windows/execution_posh_portable_executable.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit f50fb1d61b)
 2021-10-18 20:51:12 +00:00
Austin Songer db54ea7467 [New Rule] AWS EventBridge Rule Disabled or Deleted (#1572) 
* Create aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 3ab67d1562)
 2021-10-18 18:37:29 +00:00
Austin Songer b1e60b6c45 [New Rule] DNS-over-HTTPS Enabled by Registry (#1379) 
* Create defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

(cherry picked from commit cf2b3ee753)
 2021-10-16 02:26:11 +00:00
Austin Songer 66f447cfff [New Rule] AWS EFS File System or Mount Deleted (#1462) 
* AWS EFS File System or Mount Deleted

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 2c39bb962f)
 2021-10-16 02:24:00 +00:00
Austin Songer 1771e33876 [New Rule] AWS Suspicious SAML Activity (#1498) 
* Create privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Add trailing /

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 702524b1f7)
 2021-10-16 02:12:06 +00:00
Austin Songer b090e60bd6 [New Rule] Azure Full Network Packet Capture Detected (#1420) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 50501bb40f)
 2021-10-16 02:07:22 +00:00
Austin Songer 69dbb5f655 [New Rule] Azure Virtual Network Device Modified or Deleted (#1421) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml

* fix description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 790586fb57)
 2021-10-15 19:12:07 +00:00
Austin Songer af3571ea6e [New Rule] Azure Kubernetes Pods Deleted (#1309) 
* Create impact_kubernetes_pod_deleted.toml

* Update impact_kubernetes_pod_deleted.toml

* Update

* Update impact_kubernetes_pod_deleted.toml

* quote value in query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 761df5fe84)
 2021-10-15 19:08:48 +00:00
Austin Songer ecc65a28bc [New Rule] AWS RDS Snapshot Restored (#1312) 
* Create exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

* Delete exfiltration_rds_snapshot_restored.toml

* Create exfiltration_rds_snapshot_restored.toml

* Update

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit dc980effb0)
 2021-10-15 19:06:07 +00:00
Austin Songer 8c2c6ea6ec [New Rule] Microsoft 365 - Mass download by a single user (#1348) 
* Create impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 3303a4e255)
 2021-10-15 19:02:52 +00:00
Austin Songer 9021db6188 [New Rule] AWS Route53 hosted zone associated with a VPC (#1365) 
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 90504915ad)
 2021-10-15 19:01:20 +00:00
Austin Songer 25733e1d67 [New Rule] AWS STS AssumeRole Usage (#1214) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_assumerole_abuse.toml

* Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml

* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add note field

* Update privilege_escalation_sts_assumerole_usage.toml

* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Adding Reference

* Expand STS

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit d7eab5bbf3)
 2021-10-15 18:57:13 +00:00
Austin Songer 8bb2d27451 [New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 27ba204f1c)
 2021-10-15 18:43:23 +00:00
Austin Songer 8f55556006 [New Rule] Azure Blob Permissions Modification (#1499) 
* Create defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update description and query (spacing)

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 7123d46623)
 2021-10-14 10:00:28 +00:00
Austin Songer 358585b2c1 [New Rule] Azure Kubernetes Events Deleted (#1307) 
* Create defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add quotes to azure query field

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3d15c2072d)
 2021-10-14 09:58:32 +00:00
Jonhnathan fe36864c77 [New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548) 
* PowerShell Suspicious Discovery Related Windows API Functions Initial Rule

* Update severity

* Lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit b7dcbbae72)
 2021-10-14 09:55:50 +00:00
Jonhnathan 8964e5d646 [Rule Tuning] Update network.direction (#1547) 
* Update network.direction

* bump updated_date

(cherry picked from commit cc241c0b5e)
 2021-10-14 00:47:33 +00:00
github-actions[bot] 847b08a1bd Lock versions for releases: 7.13,7.14,7.15 (#1545) 
* Locked versions for releases: 7.13,7.14,7.15

(cherry picked from commit c6ddb44445)
 2021-10-13 22:24:28 +00:00
Austin Songer 76a60c5ca8 [New Rule] Microsoft 365 - Impossible travel activity (#1344) 
* Create initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Updated Directory

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 11fa592c6f)
 2021-10-12 22:12:31 +00:00
Austin Songer 76ca7f5fc9 [New Rule] Microsoft 365 - User Restricted from Sending Email (#1345) 
* Create initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Fix technique

* update description and FP

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit c8ac37957d)
 2021-10-12 21:34:01 +00:00
Austin Songer 7cf664b160 [New Rule] Microsoft 365 - Unusual Volume of File Deletion (#1347) 
* Create impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update rules/microsoft-365/impact_microsoft_365_unusual_volume_of_file_deletion.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Add missing `\`

* Bump to prod and update description

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit fa9da023dd)
 2021-10-12 21:31:50 +00:00
Austin Songer b4d584fbc6 [New Rule] Microsoft 365 - Potential ransomware activity (#1346) 
* Create impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* bump to prod

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 98c217ece9)
 2021-10-12 21:27:11 +00:00
Austin Songer 088c8a8354 [New Rule] AWS Route Table Modified or Deleted (#1258) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 82e72a956b)
 2021-10-12 18:17:56 +00:00
Apoorva Joshi f24b42980d Updating host risk score docs (#1518) 
* Updating host risk score docs

* Update docs/experimental-machine-learning/host-risk-score.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Making some changes

* Adding space to :all the things:

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 74fa8ebe48)
 2021-10-08 03:39:22 +00:00
David French 7d9f7e6a56 [New Rule] Rules to detect screensaver persistence on macOS (#1531) 
* add macos screensaver persistence rules

* change uuid

* update name

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* add T1546

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit cdbd5a6515)
 2021-10-07 14:24:41 +00:00
LaZyDK 9c9ef21878 Update defense_evasion_execution_windefend_unusual_path.toml (#1492) 
* Update defense_evasion_execution_windefend_unusual_path.toml

Add Microsoft Security Client to exclusions.

* Update defense_evasion_execution_windefend_unusual_path.toml

Update updated_date

* Updated author

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 43f0d77033)
 2021-10-05 19:38:58 +00:00
Austin Songer bd7616e912 [New Rule] AWS ElastiCache Security Group Created (#1363) 
* Create persistence_elasticache_security_group_creation.toml

* Update

* Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml

* Update defense_evasion_elasticache_security_group_creation.toml

* Update defense_evasion_elasticache_security_group_creation.toml

* Re-add rule.threat

* Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* remove extra space from query

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9508002bb3)
 2021-10-05 17:01:33 +00:00
Austin Songer bd8eeae6ca Made these pull requests before the directory restructure. (#1517) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3b0d2006b7)
 2021-10-05 12:30:40 +00:00
Austin Songer 29d1ee4ae5 [Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514) 
(cherry picked from commit 0a3c44e8db)
 2021-10-04 21:32:40 +00:00
Andrew Pease 89cba0af95 [Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524) 
* Updated rule to include resizing

* lint

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit d5a8f41864)
 2021-10-04 19:01:39 +00:00
Jonhnathan 3471522807 [New Rule] Backup Files Deletion (#1516) 
* Add Backup Files Deletion Initial Rule

* Fix creation date

* Add updated_date

* Adjust description and query

* Update Description

* Update rules/windows/impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add false_positives

* Update impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit f2b58cc0ab)
 2021-10-04 18:56:48 +00:00
Austin Songer c2fc2af03b [New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364) 
* Create impact_aws_elasticache_security_group_modified_or_deleted.toml

* Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Update

* Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit f41714642c)
 2021-10-04 18:39:40 +00:00
Austin Songer d0eaf3ed26 [New Rule] Volume Shadow Copy Deletion via PowerShell (#1358) 
* Create defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Rename defense_evasion_volume_shadow_copy_deletion_via_powershell.toml to impact_volume_shadow_copy_deletion_via_powershell.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Add trailing /

* Update rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 6298f7b00a)
 2021-10-04 17:59:07 +00:00
Jonhnathan 8033c0a260 Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511) 
(cherry picked from commit ba9c01be50)
 2021-09-30 21:09:35 +00:00
Jonhnathan ed57d46d15 [Rule Tuning] Small update on rule descriptions (#1508) 
(cherry picked from commit 5e4a7e67df)
 2021-09-30 20:55:18 +00:00
Samirbous 1c70f69b2f [New Rule] Virtual Machine Fingerprinting via Grep (#1510) 
* [New Rule] Virtual Machine Fingerprinting via Grep

* format

* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added reference url

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 76a0224f60)
 2021-09-30 18:41:03 +00:00
Samirbous 6f30bf3f7f [New Rule] Potential Lsass Memory Dump via MirrorDump (#1504) 
* [New Rule] Potential Lsass Memory Dump via MirrorDump

* added tactic

* switched to kql

* added sysmon process access non ecs types

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* rule.name as suggested by Justin and converted to EQL to add comments

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 521e4dc8f1)
 2021-09-30 08:17:42 +00:00
Austin Songer 09f49da822 [New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393) 
(cherry picked from commit d28c48f20f)
 2021-09-29 17:09:18 +00:00
Austin Songer ba458dea13 [New Rule] New or Modified Federation Domain (#1212) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_new-or-modified-federation-domain.toml

* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update

* Update persistence_new_or_modified_federation_domain.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a51ed86851)
 2021-09-29 12:17:22 +00:00
Austin Songer 17845c2bf9 [New Rule] O365 Exchange Suspicious Mailbox Right Delegation (#1211) 
(cherry picked from commit 5ac7fb639c)
 2021-09-27 21:19:34 +00:00
Justin Ibarra 371247b0b2 [Rule Tuning] Add system index to Windows Event Logs Cleared (#1502) 
(cherry picked from commit 63d6a54804)
 2021-09-24 17:06:02 +00:00
Jonhnathan 5b13666054 [Rule Tuning] Update threat mappings for Windows rules (#1497) 
* Windows Rules Att&ck Mapping review

* Bump updated_date and fix reference URLs

* Fix subtechnique

* Fix test errors

(cherry picked from commit 61afb1c1c0)
 2021-09-23 17:09:43 +00:00
Austin Songer 216d06ef30 [New Rule] AWS STS GetSessionToken Abuse (#1213) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_getsessiontoken_abuse.toml

* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update

* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 93b8038d7d)
 2021-09-22 19:29:04 +00:00
Austin Songer 0610e66ec2 [New Rule] Okta User Attempted Unauthorized Access (#1209) 
(cherry picked from commit 3e2cf4f53e)
 2021-09-22 06:45:27 +00:00