d45b693e20
[New Rule] Suspicious WMI Event Subscription Created ( #1860 )
...
* Suspicious WMI Event Subscription Initial rule
* Use EQL sequence
* Update non-ecs-schema
* Update persistence_sysmon_wmi_event_subscription.toml
* update description
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* update query too look for even code 21 only
* update to case sensitive compare
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 6d7df50d78
2023-08-29 19:48:03 +00:00
374ac8ad1c
[New Rule] Unusual Process For MSSQL Service Accounts ( #3040 )
...
* [New Rule] Unusual Process For MSSQL Service Accounts
* Update initial_access_unusual_process_sql_accounts.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update collection_archive_data_zip_imageload.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
added "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 7004c99ef5
2023-08-29 12:16:12 +00:00
154ee50051
[New Rule] New BBR Rules - Part 4 ( #3035 )
...
* [New Rule] New BBR Rules - Part 4
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0e337e2c36
2023-08-29 11:55:07 +00:00
520a670568
[New Rule] Potential Masquerading as Browser Process ( #2995 )
...
* [New Rule] Potential Masquerading as Browser Process
* Update rules_building_block/defense_evasion_masquerading_browsers.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update defense_evasion_masquerading_browsers.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9f213cc9f7
2023-08-28 16:34:26 +00:00
d0d092a036
Update credential_access_lsass_openprocess_api.toml ( #3047 )
...
(cherry picked from commit 22931d6afb
2023-08-28 15:28:09 +00:00
112e2f2864
[New Rule] Potential Masquerading as Windows System32 DLL ( #3021 )
...
* [New Rule] Potential Masquerading as Windows System32 DLL
* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Restrict logic
* Update defense_evasion_masquerading_windows_dll.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 7496c5cb68
2023-08-28 11:37:53 +00:00
f00a14c3af
[New Rule] Network-Level Authentication (NLA) Disabled ( #3039 )
...
* [New Rule] Network-Level Authentication (NLA) Disabled
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit ffa60f2d03
2023-08-28 11:11:26 +00:00
c067542e13
[Rule Tuning] High Number of Process and/or Service Terminations ( #2940 )
...
(cherry picked from commit de32287889
2023-08-25 22:25:19 +00:00
8aad7d7d02
BBR Rules Addition ( #3027 )
...
(cherry picked from commit d21ed24e4f
2023-08-25 13:45:51 +00:00
ed2daecb25
[Rule Tuning] Several rule tunings ( #3024 )
...
* [Rule Tuning] Several rule tunings
* Added 1 more
* optimized ransomware encryption rules
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
* Added 2 more tunings based on todays telemetry
* Some tunings
* Tuning
* Tuning
* fixed user.id comparison
* Something went wrong with deprecation
* Something went wrong with deprecation
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/discovery_linux_nping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_linux_hping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Dedeprecated the rule to deprecate later
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a1716bd673
2023-08-25 12:09:16 +00:00
939800bb03
[Rule Tuning] Threat Intel Hash Indicator Match ( #3031 )
...
* Remove impash matches due to rate of false positives
* Update rules/cross-platform/threat_intel_indicator_match_hash.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 17d0e5cda8
2023-08-25 09:27:11 +00:00
a16735676f
[Rule Tuning] Windows BBR Rules ( #3018 )
...
* [Rule Tuning] Windows BBR Rules
* Update discovery_generic_process_discovery.toml
(cherry picked from commit 17f6537e44
2023-08-25 08:26:51 +00:00
38aca58b17
[Rule Tuning] Compression DLL Loaded by Unusual Process ( #3017 )
...
(cherry picked from commit 460919a9d7
2023-08-25 08:14:13 +00:00
4833f15de5
[Bug] Fix RTA Metadata ( #3036 )
...
(cherry picked from commit 5bb5994c6f
2023-08-24 16:18:00 +00:00
abdf54d4ac
[Bug] Set session cookie key to sid ( #3010 )
...
(cherry picked from commit c72ec4da90
2023-08-22 21:07:55 +00:00
d96eb29614
Adding related integrations to ML rules ( #2972 )
...
* Adding related integrations to ML rules
* added adjustments to determine related integrations for ML rules
* fixed lint errors
* Empty commit
* Empty commit
* Empty commit
---------
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box >
(cherry picked from commit 9482bda414
2023-08-22 18:45:02 +00:00
10fa921c84
[Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing ( #3025 )
...
* adding tuning to ignore windows update
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 2ddcf7817e
2023-08-22 17:10:02 +00:00
121134347a
[Rule Tuning] PowerShell Keylogging Script ( #3023 )
...
(cherry picked from commit 0c3b251208
2023-08-22 10:50:44 +00:00
37ff018674
[New Rule] Potential Masquerading as Windows System32 Executable ( #3022 )
...
* [New Rule] Potential Masquerading as Windows System32 Executable
* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f8df53626e
2023-08-21 18:20:06 +00:00
3534b37ba6
[Tuning] Improve Performance ( #2953 )
...
* [Tuning] Improve Performance
Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.
Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)
* Update privilege_escalation_suspicious_dnshostname_update.toml
* ++
* ++
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 5e801b2edf
2023-08-21 15:29:47 +00:00
32f4fe26ba
[Bug] Duplicate tag on Okta rule ( #3020 )
...
* Fix double tag on rule
* fixed all rules; added unit test
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 4f33a40f48
2023-08-21 14:49:38 +00:00
8058b4054c
[New Rule] PowerShell Kerberos Ticket Dump ( #2967 )
...
* [New Rule] PowerShell Kerberos Ticket Dump
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 72f15dda6a
2023-08-20 20:34:43 +00:00
27e246bd5e
[Rule Tuning] Privileges Elevation via Parent Process PID Spoofing ( #2873 )
...
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
* bump date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit b5e011a892
2023-08-17 16:58:24 +00:00
7c4ca0a4a3
[New Rule] Building Block Rules - Part 2 ( #2923 )
...
* [New Rule] Building Block Rules - Part 2
* .
* Update rules_building_block/defense_evasion_dll_hijack.toml
* Update rules_building_block/defense_evasion_file_permission_modification.toml
* Update rules_building_block/discovery_posh_password_policy.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 9144dc0448
2023-08-17 16:06:41 +00:00
44ac8f762d
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10 ( #3019 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10
* Update detection_rules/etc/deprecated_rules.json
* Update detection_rules/etc/deprecated_rules.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 4cf70654ad
2023-08-17 13:15:11 +00:00
492e6c416e
[FR] 8.10 Release Preparation and Update Main Branch to 8.11 ( #3012 )
...
* prepping for 8.11 branch
* fixed lint errors
* added 8.11 to stack schema map
* trimmed version lock file; adjusted new terms validation
* reverting changes to version lock, stack schema and workflow
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 08b646aa94
2023-08-16 18:29:17 +00:00
96e50be5a6
[Rule Tuning] Potential Masquerading as Communication Apps ( #2997 )
...
* [Rule Tuning] Potential Masquerading as Communication Apps
* Update defense_evasion_masquerading_communication_apps.toml
* Update persistence_run_key_and_startup_broad.toml
* CI
* Revert "CI"
This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
2023-08-16 09:34:21 -03:00
e938ed28a0
[Rule Tuning] added additional event action ( #3008 )
2023-08-10 16:59:07 +02:00
2393190edf
[New Rule] PowerShell Script with Webcam Video Capture Capabilities ( #2935 )
...
* [New Rule] PowerShell Script with Webcam Video Capture Capabilities
* Update collection_posh_webcam_video_capture.toml
* Update rules_building_block/collection_posh_webcam_video_capture.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-08-09 15:17:15 -03:00
f500cec497
fixing typo in 127.0.0.1 address ( #3004 )
2023-08-08 17:06:26 +02:00
4cbfd7c4ae
[Rule Tuning] Restricted Shell Breakout ( #2999 )
2023-08-04 19:30:18 +02:00
e904ebb760
[New Rule] PE via Container Misconfiguration ( #2983 )
...
* [New Rule] PE via Container Misconfiguration
* fixed boolean comparison unit test error
* Update privilege_escalation_container_util_misconfiguration.toml
* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-04 16:39:40 +02:00
ef49709c7d
[New Rules] Linux Wildcard Injection ( #2973 )
...
* [New Rules] Linux Wildcard Injection
* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-04 16:32:34 +02:00
c6eba3e4e6
[New Rule] Suspicious Symbolic Link Created ( #2969 )
...
* [New Rule] Suspicious Symbolic Link Created
* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* fixed unit testing issues after suggestion commit
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 23:23:23 +02:00
4bcec3397c
[New Rule] Potential Suspicious DebugFS Root Device Access ( #2982 )
...
* [New Rule] Potential DebugFS Privilege Escalation
* Changed rule name
* Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 16:13:34 +02:00
207d94e51c
[New Rule] Potential Sudo Token Manipulation via Process Injection ( #2984 )
...
* [New Rule] Sudo Token Access via Process Injection
* [New Rule] Sudo Token Manipulation via Proc Inject
* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
* Update privilege_escalation_sudo_token_via_process_injection.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:58:25 +02:00
7cc841cc87
[New Rule] PE via UID INT_MAX Bug ( #2971 )
...
* [New Rule] PE via UID INT_MAX Bug
* changed file name
* Should be more decisive
* fix
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:51:06 +02:00
ef1fa94c52
[New BBR] Suspicious Clipboard Activity ( #2970 )
...
* [New BBR] Suspicious Clipboard Activity
* Added new line to end of file
* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 15:41:23 +02:00
a7ff449fbc
[Rule Tuning] Some Tunings of several 8.9 rules ( #2985 )
...
* [Rule Tuning] Doing some quick tunings
* updated_date bump
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_sysctl_enumeration.toml
* Update rules/linux/persistence_init_d_file_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_shared_object_creation.toml
* deprecate rule
* deprecate rule
* Update execution_abnormal_process_id_file_created.toml
* Update discovery_kernel_module_enumeration_via_proc.toml
* Update discovery_linux_modprobe_enumeration.toml
* Update execution_remote_code_execution_via_postgresql.toml
* Update discovery_potential_syn_port_scan_detected.toml
* Added 2 tunings, sorry I missed those..
* One more tune
* Update discovery_suspicious_proc_enumeration.toml
2023-08-03 15:25:33 +02:00
03110fb24c
[New Rule] SUID/SGUID Enumeration Detected ( #2956 )
...
* [New Rule] SUID/SGUID Enumeration Detected
* Remove endgame compatibility
* readded endgame support after troubleshooting
* Update discovery_suid_sguid_enumeration.toml
* Update rules/linux/discovery_suid_sguid_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:57:30 +02:00
716b621af2
[New Rule] Potential Sudo Hijacking Detected ( #2966 )
...
* [New Rule] Potential Sudo Hijacking Detected
* Update privilege_escalation_sudo_hijacking.toml
2023-08-03 09:49:14 +02:00
18c2214956
[New Rule] Sudo Command Enumeration Detected ( #2946 )
...
* [New Rule] Sudo Command Enumeration Detected
* Update discovery_sudo_allowed_command_enumeration.toml
* revert endgame support due to unit testing fail
* Update discovery_sudo_allowed_command_enumeration.toml
* Update discovery_sudo_allowed_command_enumeration.toml
* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/discovery_sudo_allowed_command_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:39:16 +02:00
3f9e7aced1
[Bug] Strip Non-Public Fields Prior to Uploading Rules ( #2986 )
2023-08-02 12:38:48 -05:00
29fc61d55b
updated pyproject.toml ( #2991 )
2023-08-02 10:16:12 -04:00
1cb5c174ce
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 ( #2988 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9
* Update detection_rules/etc/version.lock.json
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-08-01 10:12:29 -04:00
ea26ea77d7
[FR] Update build-release to support bbr release ( #2987 )
...
* Fixes bug in unit tests
* fix rule paths
* removed unused import
2023-07-31 15:20:18 -04:00
b8bb2da932
[New Rule] Potential Privilege Escalation via OverlayFS ( #2974 )
...
* [New Rule] Privilege Escalation via OverlayFS
* Layout change
* Revert "[New Rule] Privilege Escalation via OverlayFS"
This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.
* Made rule broader
* Update privilege_escalation_overlayfs_local_privesc.toml
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
* Update user.id to strings
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-07-31 19:15:11 +02:00
d1db3a0048
[New Rule] Building Block Rules - Part 4 ( #2926 )
...
* [New Rule] Building Block Rules - Part 4
* Update discovery_win_network_connections.toml
* Update privilege_escalation_unquoted_service_path.toml
* Update rules_building_block/discovery_win_network_connections.toml
* Update rules_building_block/privilege_escalation_unquoted_service_path.toml
* Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml
* Update discovery_net_share_discovery_winlog.toml
2023-07-31 11:03:57 -03:00
1e769c51b6
Tune Unusual File Activity ADS for Teams weblogs ( #2929 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-31 10:41:31 -03:00
6966a6df09
[New Rule] Building Block Rules - Part 3 ( #2924 )
...
* [New Rule] Building Block Rules - Part 3
* Update defense_evasion_generic_deletion.toml
* Update defense_evasion_generic_deletion.toml
* Update defense_evasion_generic_deletion.toml
* Apply suggestions from code review
* Update rules_building_block/discovery_generic_account_groups.toml
* Apply suggestions from code review
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-31 10:28:25 -03:00
Jonhnathan