cfb386285d
[New RTA] Input Capture via Keylog ( #3033 )
...
* [New RTA] Input Capture via Keylog
APIs in scope covered by 2 seperate RTAs :
SetWindowsHookEx (collection_keylog_hook_keystate)
GetAsyncKeyState (collection_keylog_hook_keystate)
RegisterRawInputDevices (collection_keylog_rawinputdevice)
* Update rta/collection_keylog_hook_keystate.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rta/collection_keylog_rawinputdevice.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit ec609d826a
2024-05-24 10:40:44 +00:00
0295db4b6b
[New Rule & Tunings] Linux Springtail Backdoor ( #3692 )
...
* [New Rules and Tuning] Springtail backdoor
* consistency formatting
* update
* unit testing formatting change
* Update persistence_systemd_service_started.toml
* Update persistence_systemd_service_started.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
(cherry picked from commit 390629da4e
2024-05-24 08:13:21 +00:00
39782b4295
[FR] Update utility path computation to use pathlib ( #3699 )
...
* update
* Updated to pathlib
* Linting
* Add string cast where needed
* Add additional string conversion as needed
* Str conversions to support eql lib
* Attack typo
* Typo in test script
* Updated for more pathlib
* Linting
* Update to convert string to path object
* Fix typo
(cherry picked from commit f43fbfba0d
2024-05-23 21:39:55 +00:00
f27479ee12
Package Manifest changes to add capabilities ( #3706 )
...
Removed changes from:
- detection_rules/etc/packages.yaml
(selectively cherry picked from commit f73022b900
2024-05-23 20:49:50 +00:00
8975b5de18
Update impact_high_freq_file_renames_by_kernel.toml ( #3707 )
...
(cherry picked from commit 603f3c313a
2024-05-23 17:03:14 +00:00
18fcd83683
Back-porting Version Trimming ( #3704 )
...
(cherry picked from commit 63e91c2f12
2024-05-22 19:18:10 +00:00
bc95221e93
[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added ( #3591 )
...
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'
* added investigation guide
* updated query logic
(cherry picked from commit 137b74c3aa
2024-05-20 20:23:52 +00:00
e7959e88b9
[Bug] Fix test_os_and_platform_in_query test and rules ( #3695 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit ce21acef9c
2024-05-20 15:51:28 +00:00
0ab70f13a4
[Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs ( #3627 )
...
* [Rule Tuning] Add Initial SentinelOne Compatibility
* updated definitions.py; updated tags; fixed unit tests
* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks
* updating manifests and integrations
* fixing flake errors
* min_stack
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit d023ad66b1
2024-05-20 12:59:37 +00:00
98e0777b34
Update credential_access_suspicious_web_browser_sensitive_file_access.toml ( #3691 )
...
(cherry picked from commit ec27bf8545
2024-05-18 04:38:02 +00:00
6e25eabf71
[FR] Add --force flag to update-lock-versions ( #3693 )
...
* Add --force flag to update-lock-versions
* Add type hinting
(cherry picked from commit 707ca32ab1
2024-05-18 00:33:11 +00:00
0e8cce28e9
[Bug] Support spaces with capital letters ( #3689 )
...
(cherry picked from commit 43b3a4b080
2024-05-17 14:12:47 +00:00
06ef471c39
[FR] Normalize yml ext to yaml ( #3675 )
2024-05-15 17:08:01 -05:00
2d96f10725
[FR] Normalize yml ext to yaml ( #3675 )
...
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 79f575b33c
2024-05-15 20:27:01 +00:00
1d7e597662
[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId ( #3677 )
...
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f0b226c2b0
2024-05-15 17:20:18 +00:00
ad7a8afb32
[Rule Tuning] Windows Service Installed via an Unusual Client ( #3671 )
...
* [Rule Tuning] Windows Service Installed via an Unusual Client
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 0eef7f62ff
2024-05-15 13:39:59 +00:00
ed48d9fd57
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 ( #3676 )
...
(cherry picked from commit f3585da503
2024-05-15 11:41:56 +00:00
891da3623d
Prepare For Next Elastic Stack 8.15 ( #3670 )
...
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 50a8b52cd5
2024-05-14 19:10:09 +00:00
ca8af123d2
[FR] Add max_signal note, unit test, and rule tuning ( #3669 )
...
(cherry picked from commit f07a9e6fbc
2024-05-14 16:23:18 +00:00
a4b38209b4
[New Rule] Building Block Rule - AWS IAM Login Profile Added to User ( #3633 )
...
* new rule 'AWS IAM Login Profile Added to User'
* Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 608b801088
2024-05-14 15:18:38 +00:00
9dceb36a7e
[New Rule] Route53 Resolver Query Log Configuration Deleted ( #3592 )
...
* new rule 'Route53 Resolver Query Log Configuration Deleted'
* added investigation guide
* adjusted investigation notes
* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 2375297879
2024-05-14 14:32:44 +00:00
cbac37db59
[New] Unusual Execution via Microsoft Common Console File ( #3663 )
...
* [New] Unusual Execution via Microsoft Common Console File
https://www.genians.co.kr/blog/threat_intelligence/facebook
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_initial_access_via_msc_file.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a1ef8c9fc0
2024-05-14 14:16:02 +00:00
95fd920afe
[New] Potential File Download via a Headless Browser ( #3660 )
...
* [New] Potential File Download via a Headless Browser
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_common_webservices.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
(cherry picked from commit 83462a3087
2024-05-14 13:04:35 +00:00
f918f091c3
[New Rule] AWS EC2 AMI Shared with Another Account ( #3600 )
...
* new rule 'AWS EC2 AMI Shared with Another Account'
* linted; updated UUID
* added investigation guide
* updated description
* fixed spelling errors
* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* fixed spacing issue
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit d505b95f3c
2024-05-14 06:04:20 +00:00
727e7ada2e
[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role ( #3586 )
...
* new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance'
* updated description and name
* added investigation guide; adjusted description
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated query logic
* fixed spacing issue
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 38e0f13e23
2024-05-14 03:15:43 +00:00
33e44b29fc
[FR] Bundle KQL & Kibana libs into base dependencies ( #3662 )
...
(cherry picked from commit 78837549e8
2024-05-13 19:36:55 +00:00
e45c7db95e
[Bug] Update Rule Formatter ( #3668 )
...
* Update Rule Formatter
* Only apply fix to Note
(cherry picked from commit 094ef22604
2024-05-13 19:07:19 +00:00
2f88a93d62
[New Rule] Alternate Data Stream Creation at Volume Root Directory ( #3517 )
...
* [New Rule] Alternate Data Stream Creation at Volume Root Directory
* Update defense_evasion_root_dir_ads_creation.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 6150f222b2
2024-05-13 11:42:34 +00:00
c915b9959d
[Tuning] MacOS Comprehensive Detection Rule Tuning ( #3435 )
...
* Update to use new data source
* Exclude FPs
* Update logic
* Exclude FPs
* Update to match ER logic
* Exclude FP
* Update to match endpoint rule and reduce FPs
* Update logic to reduce FPs
* Update logic to reduce FPs
* Exclude FPs
* Update logic to remove FPs
* Update logic to reduce FPs
* Update logic and min stack version to reduce FPs
* Exclude FP
* Remove FPs
* Update logic and min stack to reduce FPs
* Exclude FPs
* Update logic and min stack to exclude FPs
* Update logic and min stack to exclude FPs
* Update logic to be more efficient
* Update logic
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
* Update persistence_folder_action_scripts_runtime.toml
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/credential_access_credentials_keychains.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/persistence_loginwindow_plist_modification.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Fix
* Fix
* Fix
* Update min stack comments
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_systemkey_dumping.toml
* Update rules/macos/discovery_users_domain_built_in_commands.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Remove field
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1fb58e1b61
2024-05-11 17:59:28 +00:00
2e270cf78c
[New Rule] Potential PowerShell HackTool Script by Author ( #2472 )
...
* [New Rule] Potential PowerShell HackTool Script by Author
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f85d7482fd
2024-05-09 16:08:45 +00:00
ae6bb88edb
[Tuning] Component Object Model Hijacking ( #3655 )
...
* [Tuning] Component Object Model Hijacking
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
* Update persistence_suspicious_com_hijack_registry.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 7a61070e08
2024-05-08 16:52:11 +00:00
3262eaaca3
[FR] Update readme with wsl instructions for py312 ( #3649 )
...
* Update README
* Removed DaC Specifics
* Add troubleshooting guide.
* Update Troubleshooting.md
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 65441b8e67
2024-05-07 17:59:13 +00:00
4bbb8c2642
[New] Ransomware over SMB ( #3638 )
...
* [New] Ransomware over SMB
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_ransomware_file_rename_smb.toml
* ++
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_ransomware_file_rename_smb.toml
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_high_freq_file_renames_by_kernel.toml
(cherry picked from commit 4a2e2764cd
2024-05-07 05:46:07 +00:00
947e8fd965
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3650 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13
* Bumping status checks
* undo bump
---------
Co-authored-by: eric-forte-elastic <eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
(cherry picked from commit 84437bac03
2024-05-06 16:52:30 +00:00
2bd230ff60
[Bug] Query validation failing to capture InSet edge case with ip field types ( #3572 )
...
* Move test case to separate file
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit a4a0bc6a7e
2024-05-06 12:07:00 +00:00
b75a9f902b
[New Rule] Potential Abuse of Resources by High Token Count and Large Response Sizes ( #3644 )
...
(cherry picked from commit 2ffb0e7fe2
2024-05-03 23:08:58 +00:00
40015070b4
[FR] Add ability to generate hunt index ( #3643 )
...
(cherry picked from commit c8c8c96956
2024-05-03 18:51:10 +00:00
90ad70e63b
[FR] Add Hunt Structure and Initial LLM Queries 🚀 ( #3637 )
...
(cherry picked from commit 00b8a77f50
2024-05-03 14:40:58 +00:00
c97395d606
[Bug] Fix missing indexes on navigator build ( #3636 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 2668f5f762
2024-05-01 21:58:13 +00:00
b83887e73d
[New Rule] AWS S3 Bucket Enumeration or Brute Force ( #3635 )
...
* [New Rule] AWS S3 Bucket Enumeration or Brute Force
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 54ff270c62
2024-05-01 21:08:19 +00:00
809279b62b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3630 )
...
(cherry picked from commit ca78f550fd
2024-04-30 12:43:58 +00:00
d3faf0d0d6
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit e29994c338
2024-04-30 11:48:38 +00:00
f7215a7ced
[Rule Tuning] Linux DRs ( #3628 )
...
(cherry picked from commit 115c3a6dfd
2024-04-30 11:33:56 +00:00
55a17e12db
[New] Potential privilege escalation via CVE-2022-38028 ( #3616 )
...
* [New] Potential privilege escalation via CVE-2022-38028
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8f6de1c235
2024-04-29 14:18:06 +00:00
09a7e2e81b
Refresh Kibana module with API updates ( #3466 )
...
* Refresh Kibana module with API updates
* add import/export commands
* rename repo commands
* add RawRuleCollection and DictRule objects
* save exported rules to files; rule.from_rule_resource
* strip unknown fields in schema
* add remote cli test
* update docs
* bump kibana lib version
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit c567d3731a
2024-04-26 17:20:37 +00:00
dfd261590b
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13 ( #3615 )
...
(cherry picked from commit 374f21fbc4
2024-04-23 12:36:46 +00:00
868ab80c63
Fix minstack version for 0365 in azure integration rules ( #3612 )
...
(cherry picked from commit 7673ba484d
2024-04-22 13:55:15 +00:00
bda38d6f27
updating performance note ( #3608 )
...
(cherry picked from commit 69d42ecc71
2024-04-18 20:43:50 +00:00
fea73c9686
[New Rule] Potential Windows Session Hijacking via CcmExec ( #3602 )
...
* [New Rule] Potential Windows Session Hijacking via CcmExec
* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 6ae0902a38
2024-04-18 16:05:03 +00:00
4562d694b0
[Rule Tuning] Further Tight up Elastic Defend Index Patterns ( #3584 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 5004ff115c
2024-04-16 16:34:23 +00:00
Samirbous