d0134efec6
Prep for creation of 8.2 branch ( #1762 )
...
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit e0dda91f26
2022-02-09 03:45:54 +00:00
3f02f5d9de
Move misplaced rule to proper folder ( #1756 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 97835bc5c5
2022-02-04 20:37:32 +00:00
b986e73a4a
[New Rule] Potential Shadow Credentials added to AD Object ( #1729 )
...
* Potential Shadow Credentials added to AD Object Initial Rule
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_shadow_credentials.toml
* Add AD tag
* Update credential_access_shadow_credentials.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 85b72256c2
2022-02-04 18:50:54 +00:00
85f05f928b
[New Rule] PowerShell Script Block Logging Disabled ( #1749 )
...
* PowerShell Script Block Logging Disabled
* Update rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_disable_posh_scriptblocklogging.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7dac52f1cf
2022-02-04 18:46:24 +00:00
a884d8a237
Update credential_access_mod_wdigest_security_provider.toml ( #1751 )
...
(cherry picked from commit 40095d95bf
2022-02-04 18:40:10 +00:00
d7011f7128
[New Rule] AdminSDHolder Backdoor ( #1745 )
...
* AdminSDHolder Backdoor
* Update rules/windows/persistence_ad_adminsdholder.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9ce5d0b92a
2022-02-01 13:16:53 +00:00
33a3598f55
[New Rule] KRBTGT Delegation Backdoor ( #1743 )
...
* KRBTGT Delegation Backdoor
* Update persistence_msds_alloweddelegateto_krbtgt.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* refresh rule_id with new uuid
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d949fefe0c
2022-02-01 13:11:26 +00:00
c58da38e94
[Bug] Fix AttributeError in RuleCollection dupe check ( #1747 )
...
(cherry picked from commit 2828633919
2022-02-01 00:59:39 +00:00
98758bf57e
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #1741 )
...
* Update persistence_exchange_suspicious_mailbox_right_delegation.toml
* fix year
(cherry picked from commit 26d5bad914
2022-02-01 00:04:05 +00:00
ca4f6834e8
[New Rule] Kerberos Preauthentication Disabled for User ( #1717 )
...
* Initial "Kerberos Preauthentication Disabled for User" Rule
* Update credential_access_disable_kerberos_preauth.toml
* Update credential_access_disable_kerberos_preauth.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Add config directives
* Update rules/windows/credential_access_disable_kerberos_preauth.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 6e3f4b2824
2022-01-31 15:33:32 +00:00
028b7d34e0
[New Rule] SeEnableDelegationPrivilege assigned to User ( #1737 )
...
* SeEnableDelegationPrivilege assigned to User
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix logging policy name
* Update rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* lint
* Update credential_access_seenabledelegationprivilege_assigned_to_user.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 25ec71579d
2022-01-31 15:24:51 +00:00
cb34ee5a28
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Removed changes from:
- rules/cross-platform/threat_intel_filebeat8x.toml
- rules/cross-platform/threat_intel_fleet_integrations.toml
(selectively cherry picked from commit 72c64de3f5
2022-01-28 19:43:11 +00:00
cea62303e3
[New Rule] PowerShell Kerberos Ticket Request ( #1715 )
...
* PowerShell Kerberos Ticket Request Initial Rule
* bump date
(cherry picked from commit edd0df5e1a
2022-01-27 19:38:10 +00:00
c589e73fe4
[New Rule] Email Reported by User as Malware or Phish ( #1699 )
...
* Email Reported by User as Malware or Phish Initial Rule
* Update initial_access_o365_user_reported_phish_malware.toml
* Update rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 189c2b152c
2022-01-27 19:32:49 +00:00
29cdcc8881
[New Rule] MS Office Macro Security Registry Modifications ( #1696 )
...
* "MS Office Macro Security Registry Modifications" Initial Rule
* Update rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b6cbdbd416
2022-01-27 19:26:38 +00:00
b214688afe
[New Rule] OneDrive Malware File Upload ( #1693 )
...
* "OneDrive Malware File Upload" Initial Rule
* bump severity
(cherry picked from commit f7bc13b437
2022-01-27 19:21:13 +00:00
89fb47f1b2
[New Rule] SharePoint Malware File Upload ( #1691 )
...
* "SharePoint Malware File Upload" Initial Rule
* s/onedrive/sharepoint
* bump severity
(cherry picked from commit 1676844640
2022-01-27 19:14:47 +00:00
37d528d98f
[New Rule] Potential Privileged Escalation via SamAccountName Spoofing ( #1660 )
...
* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing
Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.
https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac
EQL
```
iam where event.action == "renamed-user-account" and
/* machine account name renamed to user like account name */
winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```
* Create privilege_escalation_samaccountname_spoofing_attack.toml
* Update non-ecs-schema.json
* extra ref
* toml linted
* ref for MS kb5008102
* more ref
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 26fb8e83a5
2022-01-27 14:48:39 +00:00
883eed11ac
[New Rule] Global Administrator Role Assigned ( #1686 )
...
* Initial Global Administrator Role Assigned Rules
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 14252d45ee
2022-01-27 12:55:01 +00:00
adfb990e5c
Create credential_access_mfa_push_brute_force.toml ( #1682 )
...
(cherry picked from commit 7e4325dd7a
2022-01-27 12:39:41 +00:00
be55e25bc4
[Rule Tuning] GCP Kubernetes Rolebindings Created or Patched ( #1718 )
...
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 38ae64f729
2022-01-27 12:33:58 +00:00
5231c66f99
Update credential_access_suspicious_lsass_access_memdump.toml ( #1714 )
...
(cherry picked from commit 1699f50beb
2022-01-27 12:30:11 +00:00
122ef41e1a
Update source.ip condition ( #1712 )
...
(cherry picked from commit 4ac824192f
2022-01-27 12:27:06 +00:00
7aa2839a83
[Rule Tuning] Fix event.outcome condition on O365 failed logon related rules ( #1687 )
...
* Tune rule query
* Update credential_access_microsoft_365_potential_password_spraying_attack.toml
* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"
This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
(cherry picked from commit 0a23d820c9
2022-01-27 12:24:37 +00:00
ce21fe33bb
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #1683 )
...
* Inbox Rule Tuning
* Add RedirectTo
* Update non-ecs-schema.json
(cherry picked from commit 50c7d5f262
2022-01-27 12:23:00 +00:00
660dc46327
[Rule Tuning] Azure Virtual Network Device Modified or Deleted ( #1679 )
...
* Update impact_virtual_network_device_modified.toml
* Change case
(cherry picked from commit fdeb8cb1de
2022-01-27 12:19:04 +00:00
b8c3ddc305
[New Rule] Potential Privilege Escalation via PKEXEC ( #1727 )
...
* [New Rule] Potential Privilege Escalation via PKEXEC
Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :
* Update privilege_escalation_pkexec_envar_hijack.toml
* removed = sign
(cherry picked from commit b9edc5464e
2022-01-27 09:43:35 +00:00
8ba106fc64
Autogenerate docs for integration package releases ( #1567 )
...
* Autogenerate docs for integration package releases
* add parameter to bypass query validation in git loader
* strip space and - from normalized name
(cherry picked from commit 1f216d12aa
2022-01-27 06:20:45 +00:00
ea46f01ed1
Update base branch in integrations-pr command ( #1733 )
...
(cherry picked from commit e26374cb40
2022-01-27 05:54:07 +00:00
a03b7b426a
Update tests to account for non-backported deprecations ( #1735 )
...
* Update tests to account for non-backported deprecations
* remove comment spacing
(cherry picked from commit 30f5d62bf5
2022-01-27 05:42:05 +00:00
5f053f3b66
Add pyproject.toml and setup.cfg ( #1672 )
...
* add pyproject.toml
* add setup.cfg
(cherry picked from commit 179ebb5bdb
2022-01-26 23:15:39 +00:00
b8f3e46ecf
Lock versions for releases: 7.13,7.14,7.15,7.16,8.0 ( #1732 )
...
* Locked versions for releases: 7.13,7.14,7.15,7.16,8.0
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit e42fee2d84
2022-01-26 22:56:06 +00:00
6a62632105
Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )" ( #1731 )
...
This reverts commit 625d1df2bf84d55c829d
2022-01-26 20:43:09 +00:00
bf9240a201
fix bug in yaml parsing for github workflows ( #1725 )
...
* fix bug in yaml parsing for github workflows
* fix kibana version
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit f7d93e20d4
2022-01-26 03:58:38 +00:00
59b6d6dd08
Prepare for creation of 8.1 branch ( #1700 )
...
Removed changes from:
- etc/packages.yml
(selectively cherry picked from commit 2e78da5c9a
2022-01-26 03:14:04 +00:00
363556fffa
Add pattern for "name" in rule schema ( #1669 )
...
(cherry picked from commit d753ecb8d8
2022-01-25 21:05:47 +00:00
07933449e6
MacOS FolderActionScripts Process List Update ( #1723 )
...
* update and expand process list
* fix query
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit b564fa13fb
2022-01-25 20:29:34 +00:00
8ef8442a39
MacOS Launch Daemon Creation Rule - Query Fix ( #1722 )
...
* launch daemon creation syntax fix
* change updated date
(cherry picked from commit cfd4d431dd
2022-01-25 18:50:02 +00:00
30e6cac5d1
[New Rule] Startup/Logon Script added to Group Policy Object ( #1607 )
...
* "Startup/Logon Script added to Group Policy Object" Initial Rule
* Change severity
* nest non-ecs schema and move logs-system to winlogbeat
* format query and remove quotes
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add rule_ids and false_positives instance
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 95e3b87faf
2022-01-20 12:13:17 +00:00
216d39601a
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules ( #1610 )
...
* Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script
* Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule
* Add Investigation Guide and Config to "PowerShell MiniDump Script" rule
* Add logging policy reference
* Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities"
* Add Related Rules GUIDs
* Add Investigation Guide/config for "Potential Process Injection via PowerShell"
* Adjust Response and remediation
* Add Investigation Guide/config for "PowerShell Keylogging Script"
* bump updated_date
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions
* Revise line from investigation guides
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 49854aaae2
2022-01-20 11:58:49 +00:00
9f3fb94aad
[New Rule] Potential Priivilege Escalation via InstallerFileTakeOver ( #1629 )
...
* Create privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update description and change OFN from : to ==
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7fa0c0f719
2022-01-20 11:55:49 +00:00
6608f5b2d1
[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )
...
* Update execution_python_tty_shell.toml
* Update EQL query to sequence
* Remove auditbeat index
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 625d1df2bf
2022-01-20 11:52:20 +00:00
5ce04f8b27
[New Rule] Azure Suppression Rule Created ( #1666 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Moved to correct directory.
* Suppression Rule Created
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 96ada9e223
2022-01-20 11:48:22 +00:00
6e0b222524
[New Rule] Group Policy Abuse for Privilege Addition ( #1603 )
...
* "Group Policy Abuse for Privilege Addition" Initial Rule
* Update privilege_escalation_group_policy_privileged_groups.toml
* Add related rules
* fix missing comma
* Update non-ecs-schema.json
* Remove duplicated entries
* update note with code format
* Update rules/windows/privilege_escalation_group_policy_privileged_groups.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d7116485f3
2022-01-20 11:42:56 +00:00
70743a121c
[Rule Tuning] O365 Excessive Single Sign-On Logon Errors ( #1680 )
...
* Change event.category to authentication
The original had the event.category as "web" the correct value is "authentication"
* Changed updated_date to todays date
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 101b781bef
2022-01-20 11:34:29 +00:00
e9a47c69f4
[New Rule] Scheduled Task Execution at Scale via GPO ( #1605 )
...
* "Scheduled Task Execution at Scale via GPO" Initial Rule
* Update non-ecs-schema.json
(cherry picked from commit 865771886e
2022-01-20 01:08:49 +00:00
d0b144acbc
[New Rule] PowerShell PSReflect Script ( #1558 )
...
(cherry picked from commit 7bbeaf3053
2022-01-20 00:32:55 +00:00
8459789a3a
[Rule Tuning] Connection to Commonly Abused Web Services ( #1708 )
...
Added Discord domains often abused to stage malicious files.
(cherry picked from commit 6a0164cbd3
2022-01-17 17:54:17 +00:00
501489b26c
[New Rule] Microsoft Defender Tampering ( #1575 )
...
* Create defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit fd824d1fd5
2022-01-13 22:51:57 +00:00
0248772eb1
[New Rule] Mailbox Audit Logging Bypass ( #1702 )
...
* "Mailbox Audit Logging Bypass" Initial Rule
* Add reference
* Update rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit af354dc7e8
2022-01-13 20:35:10 +00:00
Colson Wilhoit