d636f2d465
[Rule Tuning] T1069 and T1087 - admin wildcard ( #2484 )
...
Tuned both rules:relax the conditions by adding a wildcard to admin
2023-01-30 22:01:52 -05:00
54f65abdb0
[Rule Tuning] Potential Shadow Credentials added to AD Object ( #2498 )
2023-01-30 09:14:23 -03:00
b8adffa469
[New Rule] System Service Discovery through built-in Windows Utilities ( #2491 )
...
* [New Rule] System Service Discovery through built-in Windows Utilities
* added pe.original_file_name to net.exe
* fixed query style mistake
* fixed detection logic mistake
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-29 19:15:17 +01:00
c5ce910d3a
Create defense_evasion_timestomp_sysmon.toml ( #2476 )
2023-01-27 21:32:03 +00:00
b8dcc6ab4b
[New Rules] C2 via BITS and CertReq ( #2466 )
...
* Create command_and_control_certreq_postdata.toml
* Update command_and_control_certreq_postdata.toml
* Update command_and_control_certreq_postdata.toml
* Create command_and_control_ingress_transfer_bits.toml
* Update non-ecs-schema.json
* Update command_and_control_certreq_postdata.toml
* Update command_and_control_ingress_transfer_bits.toml
* Update rules/windows/command_and_control_certreq_postdata.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-27 20:17:36 +00:00
e737b4eb7c
[Tuning] added T1021.006 and T1563.001 ( #2497 )
...
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update credential_access_potential_linux_ssh_bruteforce_root.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
2023-01-27 19:51:22 +00:00
a1df310e56
[New Rule] T1553.006 - Untrusted Driver Loaded ( #2499 )
...
* Create defense_evasion_untrusted_driver_loaded.toml
* Update defense_evasion_untrusted_driver_loaded.toml
2023-01-27 19:46:35 +00:00
2372602c4e
[New Rules] Amsi Bypass ( #2473 )
...
* Create defense_evasion_amsi_bypass_powershell.toml
* Create defense_evasion_amsi_bypass_dllhijack.toml
* Update defense_evasion_amsi_bypass_dllhijack.toml
2023-01-26 06:03:53 +00:00
1c6e5a3448
[New Rule] Suspicious Inter-Process Communication via Outlook ( #2458 )
...
* Create collection_email_outlook_mailbox_via_com.toml
* Update non-ecs-schema.json
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_email_outlook_mailbox_via_com.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 17:44:32 +00:00
1a5e64ce13
[New Rule] T1543.003 - Unsigned DLL Loaded by Svchost ( #2477 )
...
* Create persistence_service_dll_unsigned.toml
* Update non-ecs-schema.json
* Update persistence_service_dll_unsigned.toml
* Update rules/windows/persistence_service_dll_unsigned.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update detection_rules/etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update persistence_service_dll_unsigned.toml
* Update persistence_service_dll_unsigned.toml
* Update non-ecs-schema.json
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 17:11:38 +00:00
bcd8ef15ba
[New Rule] Unsigned DLL Side-Loading from a Suspicious Folder ( #2409 )
...
* Create defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update non-ecs-schema.json
* Update defense_evasion_unsigned_dll_loaded_from_suspdir.toml
* Update rules/windows/defense_evasion_unsigned_dll_loaded_from_suspdir.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-25 13:23:20 +00:00
8427c8cd22
Create credential_access_suspicious_lsass_access_generic.toml ( #2487 )
2023-01-25 09:43:35 +00:00
f804c29f6d
[New Rule] PowerShell Script with Encryption/Decryption Capabilities ( #2489 )
...
* [New Rule] PowerShell Script with Encryption/Decryption Capabilities
* Update defense_evasion_posh_encryption.toml
2023-01-24 12:26:11 -03:00
644a094503
Group Policy Object Discovery through gpresult.exe ( #2483 )
...
* [New Rule] Group Policy Discovery Through gpresult.exe
* Fixed typo
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_group_policy_object_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-24 12:10:57 +01:00
fc30b5881f
[New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities ( #2465 )
...
* [New Rule] PowerShell Suspicious Script with Clipboard Retrieval Capabilities
* Bump sev
* Update rules/windows/collection_posh_clipboard_capture.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-01-24 07:58:48 -03:00
92ae27600f
[New Rule] PowerShell Mailbox Collection Script ( #2461 )
2023-01-24 07:54:55 -03:00
7cde7901e3
[Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions ( #2478 )
...
* [Rule Tuning] PowerShell Suspicious Discovery Related Windows API Functions
* Update discovery_posh_suspicious_api_functions.toml
2023-01-23 20:35:43 -03:00
729ecf8b58
[New Rule] PowerShell Invoke-NinjaCopy script ( #2488 )
...
* [New Rule] PowerShell Invoke-NinjaCopy script
* Update credential_access_posh_invoke_ninjacopy.toml
* Update credential_access_posh_invoke_ninjacopy.toml
2023-01-23 20:00:57 -03:00
e3ff45e20c
[New Rule] System Time Discovery ( #2475 )
...
* [New Rule] System Time Discovery
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-18 13:01:57 +01:00
cb88ad715c
[New Rule] Exchange Mailbox via PowerShell ( #2459 )
...
* Create collection_mailbox_export_winlog.toml
* Update collection_mailbox_export_winlog.toml
* Update collection_mailbox_export_winlog.toml
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/collection_mailbox_export_winlog.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-11 16:45:20 +00:00
8afda66487
[Rule Tuning] Suspicious WerFault Child Process ( #2437 )
...
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml
2023-01-11 16:41:57 +00:00
9121a25b02
Update collection_email_powershell_exchange_mailbox.toml ( #2457 )
2023-01-11 16:29:01 +00:00
4124a82496
[Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules ( #2449 )
...
* [Rule Tuning] Exclude SYSTEM user.id from PowerShell Script Block rules
* Update privilege_escalation_posh_token_impersonation.toml
* Update privilege_escalation_posh_token_impersonation.toml
* Adjust severity
2023-01-10 09:37:07 -03:00
7725e32126
[Security Content] Fix Osquery Markdown Plugin Escaped queries ( #2447 )
...
* [Security Content] Fix Osquery Markdown Plugin Escaped queries
* Re-add line
* Update credential_access_credential_dumping_msbuild.toml
* Update command_and_control_common_webservices.toml
2023-01-09 14:45:31 -03:00
9981cca275
[Security Content] Investigation Guides Line breaks refactor ( #2454 )
...
* [Security Content] Investigation Guides Line breaks refactor (#2412 )
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
* Remove changes to deprecated rules
* Update command_and_control_certutil_network_connection.toml
2023-01-09 13:28:10 -03:00
b1a689b6fd
Revert "[Security Content] Investigation Guides Line breaks refactor ( #2412 )" ( #2453 )
...
This reverts commit d1481e1a88
2023-01-09 10:44:54 -05:00
d1481e1a88
[Security Content] Investigation Guides Line breaks refactor ( #2412 )
...
* [Security Content] Investigation Guides Line break refactor
* undo updated_date bump on deprecated rules
* Remove duplicated key
2023-01-09 11:56:39 -03:00
4312d8c958
[FR] Add Endpoint, APM and Windows Integration Tags to Rules and Supportability ( #2429 )
...
* initial commit
* addressing flake errors
* added apm to _get_packagted_integrations logic
* addressed flake errors
* adjusted integration schema and updated rules to be a list
* updated several rules and removed a unit test
* updated rules with logs-* only index patterns
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* addressed flake errors
* integration is none is windows, endpoint or apm
* adding rules with accepted incoming changes from main
* fixed tag and tactic alignment errors from unit testing
* adjusted unit testing logic for integration tags; added more exclusion rules
* adjusted test_integration logic to be rule resistent and skip if -8.3
* adjusted comments for unit test skip
* fixed merge conflicts from main
* changing test_integration_tag to remove logic for rule version comparisons
* added integration tag to new rule
* adjusted rules updated_date value
* ignore guided onboarding rule in unit tests
* added integration tag to new rule
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-01-04 09:30:07 -05:00
46eccea704
[New Rule] Suspicious Module Loaded by LSASS ( #2441 )
...
* Create credential_access_lsass_loaded_susp_dll.toml
* Update credential_access_lsass_loaded_susp_dll.toml
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_loaded_susp_dll.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-01-04 07:56:07 +00:00
3dbb87e46c
Update credential_access_kerberoasting_unusual_process.toml ( #2444 )
2023-01-04 07:50:04 +00:00
73ebdb64c3
Update privilege_escalation_persistence_phantom_dll.toml ( #2443 )
2023-01-04 07:46:59 +00:00
7cf14dd515
[Rule Tuning] Parent Process PID Spoofing ( #2432 )
...
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
* Update defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-12-22 14:23:13 +00:00
ae4f671bae
[New Rule] First Time Seen Driver Loaded ( #2434 )
...
* Create persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
* Update persistence_driver_newterm_imphash.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-12-22 14:10:33 +00:00
9c1bd50a63
[Rule Tuning] Adjust Index Pattern on Windows rules to support WEF ( #2438 )
...
* [Rule Tuning] Adjust Index Pattern on Windows rules to support WEF
* s/host.id/winlog.computer_name
2022-12-21 11:30:04 -03:00
2516a4013a
[Rule Tuning] PrivEsc via Print Spool Service ( #2431 )
...
* Update privilege_escalation_printspooler_service_suspicious_file.toml
* Update privilege_escalation_printspooler_suspicious_spl_file.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2022-12-21 11:51:26 +00:00
80548b97f4
[Rule Tuning] Access to a Sensitive LDAP Attribute ( #2430 )
...
* Update credential_access_ldap_attributes.toml
* Update credential_access_ldap_attributes.toml
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-12-18 20:36:17 +00:00
ae4e59ec7d
[FR] Update ATT&CK Package to v12.1 ( #2422 )
...
* initial update to v12.1 attack package
* added additional click echo output
* addressed flake errors
* updated rules with refreshed att&ck data
* Update detection_rules/devtools.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2022-12-16 12:04:20 -05:00
b0085f4304
[Rule Tuning] Temporarily Scheduled Task Creation ( #2411 )
2022-11-28 09:50:08 -03:00
ac01718bb6
[Rule Tuning] Add tags to flag Sysmon-only rules & Modify Investigation Guide-related tag ( #2352 )
...
* [Rule Tuning] Add tags to flag Sysmon-only rules
* Modify tags
* Revert "Modify tags"
This reverts commit 3d9267d171a41f727bb499501d71d5c4db4f0434.
* Modify tags
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
* Update test_all_rules.py
2022-11-18 12:32:27 -03:00
6055d0db60
[Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides ( #2387 )
...
* [Security Content] Introduce Osquery Markdown Plugin Queries in Investigation Guides
* Remove min_stack and add Note
* Fix Typo and preffix
* Update command_and_control_certutil_network_connection.toml
* Add unit test to check Note about Osquery Markdown plugin and Version limitations
* Update test_all_rules.py
* Update test_all_rules.py
* Change Note Verbiage
2022-11-17 18:38:34 -03:00
6555bba965
[New Rule] Persistence via PowerShell profile ( #2357 )
...
* [New Rule] Persistence via PowerShell profile
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_powersshell_profiles.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-11-16 08:42:49 -03:00
5a762eaf85
[Rule Tuning] NullSessionPipe Registry Modification ( #2350 )
...
* [Rule Tuning] NullSessionPipe Registry Modification
* Trying length
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2022-11-16 10:15:18 +00:00
b1ddfb11d4
[New Rule] Windows Services - winlog ( #2280 )
...
* [New Rule] Windows Services - winlog
https://github.com/elastic/detection-rules/issues/2164 (T1543.003 - Windows Service)
- remote windows service (4624,4697)
- suspicious windows service imagepath (7045, 4697) : cmd, powershell etc.
* added winlog.logon.type (keyword)
* Update non-ecs-schema.json
* Update persistence_service_windows_service_winlog.toml
* Update non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-11-16 10:08:02 +00:00
cbbac02b56
[Rule Tuning] Potential Shadow Credentials added to AD Object ( #2359 )
...
limit the query to suspicious KEYCREDENTIALLINK_BLOB value length to 828 `DN-Binary data: B:<char count>:<binary value>:<object DN>` which matches on the add of a keycredential structure using public offensive tooling and avoid FPs (Azure, CredGuard and others).
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-11-15 20:01:22 +00:00
b0156181e7
[New Rules] T1134 Access Token Manipulation ( #2373 )
...
* New Rules] T1134 Access Token Manipulation
3 rules (2 compatible only with Elastic endpoint) and 1 generic one using winlogs.
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* fix ruleid
* Update privilege_escalation_via_token_theft.toml
* timestamp_override = "event.ingested"
* Update non-ecs-schema.json
* linted
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* Update non-ecs-schema.json
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-11-15 19:50:47 +00:00
6233c01c34
Update privilege_escalation_suspicious_dnshostname_update.toml ( #2394 )
2022-11-15 19:26:41 +00:00
0bf7dd15a5
[New Rules] CredAccess via LDAP Attributes ( #2391 )
...
* Create credential_access_ldap_attributes.toml
* Create privilege_escalation_credroaming_ldap.toml
* Update non-ecs-schema.json
* Update privilege_escalation_credroaming_ldap.toml
just deleted the extra 'to'
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2022-11-15 15:55:01 +00:00
4997f95300
[Rule Tuning] Link Elastic Security Labs content to compatible rules ( #2388 )
...
* added elastic security labs URL references
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog.
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml
Is not compatible with Windows blog.
* Update rules/ml/execution_ml_windows_anomalous_script.toml
Is not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog. Reverting updated date.
* Update rules/linux/credential_access_collection_sensitive_files.toml
Not compatible with Windows blog.
* added credential access URL for mimikatz rules
* updated version ml windows anomalous script rule
* removed change to macOS rule since no blog correlation
2022-11-07 15:17:49 -05:00
25458123dd
Update lateral_movement_mount_hidden_or_webdav_share_net.toml ( #2385 )
...
rule tune: update by adding MITRE tactic/technique/subtechnique : Initial Access>Valid Accounts>Local Accounts. Added new tag for new tactic : Initial Access
2022-11-07 12:14:06 -05:00
85e8c0abad
[Rule Tuning] Update User.ID or Registry.Path to include Azure Users SID ( #2378 )
...
Azure AD SIDs start with S-1-12-1-* and we have 8 rules that uses user.id or registry.path to limit activity to AD/local users which starts with S-1-5-21-*.
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2022-11-01 17:45:39 +00:00
Isai
