d121e74a3e
[Rule Tuning] Windows DR Tuning - 15 ( #3377 )
...
* [Rule Tuning] Windows DR Tuning - 15
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update defense_evasion_msbuild_making_network_connections.toml
(cherry picked from commit 92804343bc
2024-01-23 19:53:28 +00:00
9f18adfdb1
[Rule Tuning] Direct Outbound SMB Connection ( #3400 )
...
* [Rule Tuning] Direct Outbound SMB Connection
* Update lateral_movement_direct_outbound_smb_connection.toml
(cherry picked from commit e33389b2ef
2024-01-23 18:38:50 +00:00
4c9a6b1dcc
[Rule Tuning] Host Files System Changes via Windows Subsystem for Linux ( #3398 )
...
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux
* Update defense_evasion_wsl_filesystem.toml
(cherry picked from commit e0bdb59deb
2024-01-22 21:52:44 +00:00
869988c20f
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field ( #3368 )
...
* updated timestamp override unit test; fixed rules missing this field
* fixed flake error
* simplified and consolidated logic
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added comments
* updated logic; added comments; removed unused variables
* removed custom python script
* updated dates
* removed deprecated rule change
* updated dates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
(selectively cherry picked from commit 1c10c37468
2024-01-17 19:19:45 +00:00
11c929f019
[Rule Tuning] Windows DR Tuning - 12 ( #3364 )
...
(cherry picked from commit f6ba12a700
2024-01-17 16:24:02 +00:00
c6725b5642
[Tuning] Add logs-system. index where applicable ( #3390 )
...
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update initial_access_suspicious_ms_office_child_process.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update initial_access_suspicious_ms_exchange_process.toml
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update execution_from_unusual_path_cmdline.toml
* Update execution_enumeration_via_wmiprvse.toml
* Update execution_command_shell_started_by_svchost.toml
* Update discovery_enumerating_domain_trusts_via_nltest.toml
* Update discovery_enumerating_domain_trusts_via_dsquery.toml
* Update defense_evasion_workfolders_control_execution.toml
* Update defense_evasion_iis_httplogging_disabled.toml
* Update defense_evasion_enable_inbound_rdp_with_netsh.toml
* Update defense_evasion_disabling_windows_logs.toml
* Update credential_access_wireless_creds_dumping.toml
* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
* Update credential_access_iis_connectionstrings_dumping.toml
* Update command_and_control_remote_file_copy_desktopimgdownldr.toml
* Update command_and_control_remote_file_copy_mpcmdrun.toml
* Update command_and_control_dns_tunneling_nslookup.toml
* Update persistence_webshell_detection.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update privilege_escalation_named_pipe_impersonation.toml
* Update command_and_control_certreq_postdata.toml
* Update defense_evasion_suspicious_certutil_commands.toml
* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update persistence_system_shells_via_services.toml
* Update execution_suspicious_cmd_wmi.toml
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update discovery_adfind_command_activity.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_unusual_dir_ads.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Update discovery_admin_recon.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update lateral_movement_alternate_creds_pth.toml
* Update persistence_via_windows_management_instrumentation_event_subscription.toml
* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml
* Update persistence_via_application_shimming.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 27262a585b
2024-01-17 13:54:51 +00:00
91ee5caf94
[Rule Tuning] Windows DR Tuning - 13 ( #3369 )
...
(cherry picked from commit 71cec2a0e1
2024-01-17 12:58:32 +00:00
b1c8876c53
[Rule Tuning] Windows DR Tuning - 10 ( #3355 )
...
* [Rule Tuning] Windows DR Tuning - 10
* Update discovery_whoami_command_activity.toml
(cherry picked from commit c6ab294627
2024-01-17 12:49:05 +00:00
753578f336
[Rule Tuning] Windows DR Tuning - 14 ( #3376 )
...
* [Rule Tuning] Windows DR Tuning - 14
* Update persistence_suspicious_com_hijack_registry.toml
* Update rules/windows/persistence_webshell_detection.toml
(cherry picked from commit 0469785793
2024-01-15 14:20:48 +00:00
336dba7d05
[Rule Tuning] Windows DR Tuning - 11 ( #3359 )
...
* [Rule Tuning] Windows DR Tuning - 10
* Update execution_posh_hacktool_functions.toml
* Update impact_backup_file_deletion.toml
(cherry picked from commit caf38fd1b1
2024-01-15 14:00:57 +00:00
d435ab7c44
[Rule Tuning] Windows DR Tuning - 9 ( #3354 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 724e34ba95
2024-01-07 12:56:05 +00:00
bcef5d74e1
[Rule Tuning] Windows DR Tuning - 8 ( #3353 )
...
* [Rule Tuning] Windows DR Tuning - 8
* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/defense_evasion_via_filter_manager.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/defense_evasion_via_filter_manager.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 7b1215ccf1
2024-01-03 15:05:15 +00:00
3f8c0295d0
[New] Potential Evasion via Windows Filtering Platform ( #3356 )
...
* Create defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update defense_evasion_windows_filtering_platform.toml
* Update rules/windows/defense_evasion_windows_filtering_platform.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_windows_filtering_platform.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit b7e21d8c29
2024-01-03 12:54:56 +00:00
f3377e1460
[Deprecate] Potential Process Herpaderping Attempt ( #3336 )
...
* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml
* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml
* ++
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 341499a2bc
2023-12-19 21:04:33 +00:00
1f2ae31f67
[Security Content] Add Windows Investigation Guides ( #3257 )
...
* [Security Content] Add Windows Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
(cherry picked from commit 578936d37a
2023-12-19 15:43:12 +00:00
a635222776
[Rule Tuning] Windows DR Tuning - 7 ( #3344 )
...
* [Rule Tuning] Windows Rule Tuning -1
* Update command_and_control_ingress_transfer_bits.toml
(cherry picked from commit 2f468ddcba
2023-12-18 17:32:31 +00:00
9f513da1c0
[Tuning] Suspicious Script Object Execution ( #3339 )
...
* Update defense_evasion_suspicious_scrobj_load.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 4b183be124
2023-12-14 23:54:28 +00:00
5b8e686583
[Tuning] Remote Scheduled Task Creation ( #3337 )
...
* Update non-ecs-schema.json
* add timestamp override
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 07b952b7bc
2023-12-14 23:44:37 +00:00
5d5bb7ed16
[Rule Tuning] Optimize query for Installation of Custom Shim Databases ( #3331 )
...
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit aff7f37b92
2023-12-14 22:08:52 +00:00
35589e47a7
[Rule Tuning] Optimize query for Direct Outbound SMB Connection ( #3329 )
...
* [Rule Tuning] Optimize query for Direct Outbound SMB Connection
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit a7b9a61942
2023-12-14 18:26:27 +00:00
c4b6e810d1
[Tuning] Suspicious Managed Code Hosting Process ( #3338 )
...
* Update defense_evasion_suspicious_managedcode_host_process.toml
* Update defense_evasion_suspicious_managedcode_host_process.toml
(cherry picked from commit 8b2aed4fc0
2023-12-14 17:56:43 +00:00
077041fef5
[Tuning] Multiple Logon Failure Followed by Logon Success ( #3340 )
...
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml
(cherry picked from commit 727c23e3d2
2023-12-14 17:45:47 +00:00
6dad9359c4
[Rule Tuning] Account Password Reset Remotely ( #3335 )
...
* [Rule Tuning] Account Password Reset Remotely
- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)
* Update persistence_remote_password_reset.toml
(cherry picked from commit 7a4f1224dc
2023-12-14 17:27:05 +00:00
c55eb80d2a
[Rule Tuning] Windows DR Tuning - 6 ( #3246 )
...
* [Rule Tuning] Windows DR Tuning - 6
* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml
* Update defense_evasion_network_connection_from_windows_binary.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 6f4c323929
2023-12-12 14:42:50 +00:00
87f8498b68
[Security Content] Introduce Investigate Plugin in Investigation Guides ( #3080 )
...
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit aeb1f91320
2023-12-08 18:59:26 +00:00
be07759888
[Security Content] Add Windows Investigation Guides ( #3095 )
...
* [Security Content] Add Windows Investigation Guides
* Update defense_evasion_rundll32_no_arguments.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml
* Update rules/windows/defense_evasion_rundll32_no_arguments.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/defense_evasion_wsl_registry_modification.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/execution_ms_office_written_file.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update privilege_escalation_posh_token_impersonation.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
(cherry picked from commit eb7c5f6717
2023-12-08 14:35:53 +00:00
17139b0278
[New] Rare SMB Connection to the Internet ( #3300 )
...
* Create exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
* Update exfiltration_smb_rare_destination.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 7070eb3b34
2023-12-07 16:15:06 +00:00
d528af6bdb
[Rule Tuning] UEBA new_terms process_executable ( #3268 )
...
* [Rule Tuning] UEBA new_terms process_executable
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 1647a16fab
2023-12-07 15:42:41 +00:00
97db361c09
[New] Process Created with a Duplicated Token ( #3152 )
...
* [New] Process Created with a Duplicated Token
using `process.Ext.effective_parent.executable` to detect impersonation using token duplicates from windows native binaries to run common lolbins or recently dropped unsigned ones :
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
* Update rules/windows/privilege_escalation_create_process_with_token_unpriv.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 7488c60090
2023-12-07 11:25:07 +00:00
4c5511254f
[Rule Tuning] Windows DR Tuning - 5 ( #3229 )
...
* [Rule Tuning] Windows DR Tuning - 5
* .
* Revert changes BehaviorOnFailedVerify
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit e5d676797e
2023-12-05 22:25:21 +00:00
d9860ca855
[New] Interactive Logon by an Unusual Process ( #3299 )
...
* Create privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
(cherry picked from commit e6df245ff3
2023-12-05 17:39:08 +00:00
315b4df8ca
[New] First Time Seen NewCredentials Lgon Process ( #3276 )
...
* Create privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update rules/windows/privilege_escalation_newcreds_logon_rare_process.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 88f752bf8b
2023-11-27 18:42:12 +00:00
699c835043
[Rule Tuning] Fix Menasec Expired Links ( #3271 )
...
(cherry picked from commit f53f46efd5
2023-11-14 13:23:48 +00:00
a31d788dcb
Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform ( #3157 )
...
(cherry picked from commit a568c56bc1
2023-10-30 11:28:47 +00:00
924056878d
[Rule Tuning] Windows DR Tuning - 4 ( #3214 )
...
* [Rule Tuning] Windows DR Tuning - 4
* Update credential_access_remote_sam_secretsdump.toml
(cherry picked from commit 1133b3a8a9
2023-10-27 00:04:57 +00:00
44cf454ce2
[Rule Tuning] Windows DR Tuning - 3 ( #3212 )
...
* [Rule Tuning] Windows DR Tuning - 3
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_moving_registry_hive_via_smb.toml
(cherry picked from commit 3d73427e29
2023-10-26 22:04:49 +00:00
4d98afbc1d
[Rule Tuning] Windows DR Tuning - 2 ( #3209 )
...
* [Rule Tuning] Windows DR Tuning - 2
* Update rules/windows/credential_access_kerberoasting_unusual_process.toml
* Update credential_access_kerberoasting_unusual_process.toml
* Update command_and_control_teamviewer_remote_file_copy.toml
(cherry picked from commit efa7c428ea
2023-10-26 21:17:05 +00:00
aa62790ae6
[Rule Tuning] Windows DR Tuning - 1 ( #3198 )
...
* [Rule Tuning] Windows DR Tuning - 1
* Update collection_winrar_encryption.toml
(cherry picked from commit a5240e4063
2023-10-26 20:26:43 +00:00
223bfe0a6d
[Promote] Potential Masquerading as Communication Apps ( #3181 )
...
* [Promote] Potential Masquerading as Communication Apps
* Update defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_communication_apps.toml
* Update rules/windows/defense_evasion_masquerading_communication_apps.toml
* Update defense_evasion_masquerading_communication_apps.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 6fcf26b20e
2023-10-23 18:01:34 +00:00
574a130346
[Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver ( #3215 )
...
* [Rule Tuning] Potential Privilege Escalation via InstallerFileTakeOver
* Update privilege_escalation_installertakeover.toml
(cherry picked from commit a471f6fc60
2023-10-23 17:40:51 +00:00
916b1a2cad
[Promote] Expired or Revoked Driver Loaded ( #3185 )
...
* [Promote] Expired or Revoked Driver Loaded
* Update privilege_escalation_expired_driver_loaded.toml
(cherry picked from commit 18ff85ce84
2023-10-23 14:50:52 +00:00
9b2e74b220
[Rule Tuning] Linux Rules ( #3092 )
...
* [Rule Tuning] [WIP] Linux DR
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Fixed tag
* Added additional tuning
* unit test fix
* Additional tuning
* tuning
* added max signals
* Added max_signals=1 to brute force rules
* Cross-Platform Tuning
* Small fix
* new_terms conversion
* typo
* new_terms conversion
* Ransomware rule tuning
* performance tuning
* new_terms conversion for auditd_manager
* tune
* Need coffee
* kql/eql stuff
* formatting improvement
* new_terms sudo hijacking conversion
* exclusion
* Deprecations that were added last tuning
* Deprecations that were added last tuning
* Increased max timespan for brute force rules
* version bump
* added domain tag
* Two tunings
* More tuning
* Additional tuning
* updated_date bump
* query optimization
* Tuning
* Readded the exclusions for this one
* Changed int comparison
* Some tunings
* Update persistence_systemd_scheduled_timer_created.toml
* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml
* Update rules/linux/command_and_control_cat_network_activity.toml
* Update persistence_message_of_the_day_execution.toml
* Changed max_signals
* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"
This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.
* Revertable merge
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* File name change
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 020fff3aea
2023-10-23 14:34:55 +00:00
97ce9d7478
[Rule Tuning] Potential Masquerading as System32 DLL ( #3184 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit e4e68c2dd8
2023-10-17 11:35:05 +00:00
9426d79b1c
[Tuning] Adjusted Rules for Anti-Evasion ( #3163 )
...
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_incoming_wmi.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
* Update lateral_movement_execution_via_file_shares_sequence.toml
* Update lateral_movement_executable_tool_transfer_smb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 24b0aa5c63
2023-10-16 17:02:08 +00:00
ef715864f4
[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules ( #3165 )
...
* [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules
* Fix dates
* Fix unit test errors
* updated tags and fixed branch conflicts
updated tags and fixed branch conflicts
* description nit
* Reverting unintended changes
* Update initial_access_suspicious_ms_office_child_process.toml
---------
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
(cherry picked from commit f584fb6e31
2023-10-15 21:18:03 +00:00
788f2ce884
[Rule Tuning] PowerShell Rules Tuning ( #3169 )
...
(cherry picked from commit 3f2a709370
2023-10-11 21:03:44 +00:00
f66b82c0ec
[Tuning] Windows Execution Rule Tuning for UEBA ( #3107 )
...
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Mostly updated Execution tags, also new_terms conv
* removed index
* Removed index
* WMIPrvSE tuning
* Additional tuning
* Tuning & changes
* Additional tuning
* Applied unit test optimization
* Addressed feedback
* Update rules/windows/execution_command_shell_started_by_svchost.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* caseless unit testing fix
* fixed caseless executable unit test
* unit testing fix
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_ms_office_written_file.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
* Added user ids to new terms
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/execution_unsigned_service_executable.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update execution_unsigned_service_executable.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit c2822e175c
2023-10-11 08:21:37 +00:00
d4d794b586
[Tuning] Windows Discovery Rule Tuning for UEBA ( #3097 )
...
* [Tuning] Win DR Tuning for UEBA
* Need to get used to Windows formatting
* Added additional content
* Updated min stack
* Added additional tuning
* Fixed unit testing for KQL optimization
* Update rules_building_block/discovery_internet_capabilities.toml
* Additional tuning
* Kuery optimization
* Additional tuning
* Additional tuning
* Additional tuning
* Additional tuning
* Unit testing optimization fix
* optimization
* tuning
* Optimization
* Update rules/windows/discovery_privileged_localgroup_membership.toml
* Added feedback
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.id as additional new_terms field
* Reworked a lot.
* kibana.alert.rule.rule_id to non-ecs-schema.json
* Fixed index by adding a dot
* fixed typo
* Added host.os.type:windows for signals
* Added additional tag
* Added Higher-Order Rule tag
* Stripped down signal rules down to two
* revert
* Update rules/windows/discovery_admin_recon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_generic_registry_query.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update discovery_generic_registry_query.toml
* Readded exclusions
* Added trailing wildcards for KQL
* Update discovery_privileged_localgroup_membership.toml
* Update rules_building_block/discovery_signal_unusual_user_host.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Formatting fix
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 4cdf52129a
2023-10-11 07:49:08 +00:00
54303f84fc
adjusting minimum stack version for version control ( #3154 )
...
(cherry picked from commit 8d2b730bc5
2023-10-03 17:41:45 +00:00
0bc9b126f6
Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity ( #3091 )
...
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity
When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html
Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.
* simplified detection logic by utilising process.parent.args
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit ccfc931fbd
2023-09-13 16:56:38 +00:00
Jonhnathan