dbfdb7f804
Test deprecated rule modification ( #3727 )
...
(cherry picked from commit f9b3534cdd
2024-06-07 13:57:45 +00:00
4077572a3b
react_sync_rta_updates_3575 ( #3762 )
...
(cherry picked from commit 57095a28b9
2024-06-06 18:45:36 +00:00
886ce70678
[New Rule] Process Capability Set via setcap Utility ( #3744 )
...
* [New Rule] Process Capability Set via setcap Utility
* ++
* Update rules/linux/persistence_process_capability_set_via_setcap.toml
(cherry picked from commit d3e2f70ce2
2024-06-06 10:47:40 +00:00
71394edb86
[Rule Tuning] System Binary Moved or Copied ( #3742 )
...
* [Rule Tuning] System Binary Moved or Copied
* Added reference
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
(cherry picked from commit 8e6114f76c
2024-06-06 10:27:50 +00:00
fb82c0fe1b
[Rule Tuning] Potential Sudo Hijacking ( #3745 )
...
* [Rule Tuning] Potential Sudo Hijacking
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
(cherry picked from commit 61ab035f41
2024-06-06 10:02:23 +00:00
1d6361dece
[New Rule] SSH Key Generated via ssh-keygen ( #3731 )
...
* [New Rule] SSH Key Generated via ssh-keygen
* ++
* Update rules/linux/persistence_ssh_key_generation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 342fde097f
2024-06-06 09:53:51 +00:00
522719cc9e
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded ( #3634 )
...
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* changed tactic to privilege escalation
* added additional reference
* added investigation guide
* updated summary
* changed risk score to medium; adjusted tags
* fixed mitre mapping
* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9f67585332
2024-06-05 14:36:53 +00:00
124fdc93a7
[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag ( #3590 )
...
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'
* updated rule contents
* added investigation guide; changed new terms to uder.id
* adjusted time window
* adjusted rule name
* updated query, adjusted new terms value
(cherry picked from commit 05ac4e1bd3
2024-06-05 14:26:05 +00:00
9475cf942d
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created ( #3609 )
...
* new rule 'AWS IAM Roles Anywhere Role Creation'
* adjusted rule to focus on Roles Anywhere profile creation
* added rule for roles anywhere trusted anchor; updated rule file naming
* added investigation guide
* added investigation guide
* adjusted rule and file name
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit c77eb1d915
2024-06-05 14:14:27 +00:00
6ff8f3a75f
[Rule Tuning] Shell Configuration Creation or Modification ( #3732 )
...
* [Rule Tuning] Shell Configuration Creation or Modification
* Incompatible endgame field
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 5f36f3a03e
2024-06-05 08:31:16 +00:00
1b3ccdd1d5
[Rule Tuning] Message-of-the-Day (MOTD) ( #3730 )
...
* [Rule Tuning] Message-of-the-Day (MOTD)
* Update persistence_message_of_the_day_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit e41a57f2ad
2024-06-05 08:21:58 +00:00
2d55e67da7
[Rule Tuning] Systemd Service & Timer ( #3728 )
...
* [Rule Tuning] Systemd Service & Timer
* Update
* Update persistence_systemd_scheduled_timer_created.toml
* Update persistence_systemd_service_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit bebf671881
2024-06-05 08:04:19 +00:00
8eea11e6ab
[New Rule & Tuning] (Ana)Cron & At Job Creation ( #3726 )
...
* [New Rule & Tuning] (Ana)Cron & At Job Creation
* Update persistence_at_job_creation.toml
* Update persistence_cron_job_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_at_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 81ee6380ec
2024-06-05 07:56:52 +00:00
06660cb2e1
Refresh MITRE Attack v15.1.0 ( #3725 )
...
(cherry picked from commit e357a2c050
2024-06-04 14:48:18 +00:00
d7db6be0aa
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager ( #3589 )
...
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'
* updated user identity arn to user.id for cross-service password retrieval
* added investigation guides; bumped dates; adjusted threshold value
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 59b7e3bde4
2024-06-04 13:23:16 +00:00
b719927d66
[Rule Tuning] Agent Spoofing ( #3729 )
...
(cherry picked from commit 90bb8b53d8
2024-06-03 17:31:40 +00:00
6727460385
updating upload-artifact to version 4 ( #3733 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit f09a640ddf
2024-06-03 16:07:19 +00:00
6924fddf65
[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation ( #3632 )
...
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'
* updated rule UUID
* added investigation guide
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0885032b2c
2024-06-03 15:46:31 +00:00
1b586e7485
[New Rule] AWS Lambda Layer Added to Existing Function ( #3631 )
...
* new rule 'AWS Lambda Layer Added to Existing Function'
* updated query logic; added investigation note
(cherry picked from commit 70469b4cdb
2024-06-02 12:44:13 +00:00
e564221d87
[New Rule] Building Block - AWS Lambda Function Created or Updated ( #3610 )
...
* new rule 'AWS Lambda Function Created or Updated'
* added bbr fields
* updated severity
* Update rules_building_block/execution_aws_lambda_function_updated.toml
(cherry picked from commit 2e366741dc
2024-06-01 14:43:27 +00:00
9b487a7ea3
[New Rule] AWS S3 Bucket Policy Added to Share with External Account ( #3603 )
...
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'
* added investigation guide
* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
(cherry picked from commit 7c82e75cf4
2024-06-01 14:34:49 +00:00
032a8c9623
[New Rule] AWS GetCallerIdentity API Called for the First Time ( #3711 )
...
* [New Rule] AWS GetCallerIdentity API Called for the First Time
issue
* Apply suggestions from code review
name change, false positive additions, remove Setup, change new_terms window from 15d to 10d
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
fixed missing closing quotes
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 23ce41d8af
2024-05-31 21:58:11 +00:00
9a92326b0d
Remove unwanted backticks ( #3724 )
...
(cherry picked from commit 418a95205e
2024-05-31 16:19:24 +00:00
444ae196ac
Add exceptions to brute force threshold rule. ( #3712 )
...
High volume, machine generated failures or MFA interruptions have been added to the rule.
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 34294fbe6d
2024-05-30 08:16:09 +00:00
5839b408ca
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3716 )
...
(cherry picked from commit 259bab7a5a
2024-05-29 14:21:29 +00:00
5d585ac3d4
Fix nodeenv version dependancy ( #3715 )
...
(cherry picked from commit 9d019dcf26
2024-05-29 13:25:30 +00:00
e1230b6b26
Update rule setup instructions for UEBA packages ( #3652 )
...
* update detection-rules instructions for UEBA packages
---------
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
(cherry picked from commit 8b28a515c1
2024-05-28 19:24:45 +00:00
a32759a51f
[New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance ( #3598 )
...
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'
* added investigation guide
* changed file name to match tactic
* changed reference
* updated tags
* updated investigation notes
* changed new terms value; adjusted rule name
(cherry picked from commit d5c57463e1
2024-05-28 15:26:33 +00:00
a25d3cd23a
[New Rule] Building Block Rule - Attempt to Retrieve User Data from AWS EC2 Instance ( #3593 )
...
* adding new rule 'Attempt to Retrieve User Data from AWS EC2 Instance'
* Update rules_building_block/discovery_userdata_request_from_ec2_instance.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 3b994c1133
2024-05-28 15:18:12 +00:00
2691273c93
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports ( #3599 )
...
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'
* updated rule name
* changed file name; added false-positive note
* changed rule UUID
* adjusted file name
* updated tags
* added investigation guide; updated query logic
* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated query and name
* updated query optimization
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 527f785a60
2024-05-28 14:52:40 +00:00
cfb386285d
[New RTA] Input Capture via Keylog ( #3033 )
...
* [New RTA] Input Capture via Keylog
APIs in scope covered by 2 seperate RTAs :
SetWindowsHookEx (collection_keylog_hook_keystate)
GetAsyncKeyState (collection_keylog_hook_keystate)
RegisterRawInputDevices (collection_keylog_rawinputdevice)
* Update rta/collection_keylog_hook_keystate.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rta/collection_keylog_rawinputdevice.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit ec609d826a
2024-05-24 10:40:44 +00:00
0295db4b6b
[New Rule & Tunings] Linux Springtail Backdoor ( #3692 )
...
* [New Rules and Tuning] Springtail backdoor
* consistency formatting
* update
* unit testing formatting change
* Update persistence_systemd_service_started.toml
* Update persistence_systemd_service_started.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
(cherry picked from commit 390629da4e
2024-05-24 08:13:21 +00:00
39782b4295
[FR] Update utility path computation to use pathlib ( #3699 )
...
* update
* Updated to pathlib
* Linting
* Add string cast where needed
* Add additional string conversion as needed
* Str conversions to support eql lib
* Attack typo
* Typo in test script
* Updated for more pathlib
* Linting
* Update to convert string to path object
* Fix typo
(cherry picked from commit f43fbfba0d
2024-05-23 21:39:55 +00:00
f27479ee12
Package Manifest changes to add capabilities ( #3706 )
...
Removed changes from:
- detection_rules/etc/packages.yaml
(selectively cherry picked from commit f73022b900
2024-05-23 20:49:50 +00:00
8975b5de18
Update impact_high_freq_file_renames_by_kernel.toml ( #3707 )
...
(cherry picked from commit 603f3c313a
2024-05-23 17:03:14 +00:00
18fcd83683
Back-porting Version Trimming ( #3704 )
...
(cherry picked from commit 63e91c2f12
2024-05-22 19:18:10 +00:00
bc95221e93
[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added ( #3591 )
...
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'
* added investigation guide
* updated query logic
(cherry picked from commit 137b74c3aa
2024-05-20 20:23:52 +00:00
e7959e88b9
[Bug] Fix test_os_and_platform_in_query test and rules ( #3695 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit ce21acef9c
2024-05-20 15:51:28 +00:00
0ab70f13a4
[Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs ( #3627 )
...
* [Rule Tuning] Add Initial SentinelOne Compatibility
* updated definitions.py; updated tags; fixed unit tests
* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks
* updating manifests and integrations
* fixing flake errors
* min_stack
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit d023ad66b1
2024-05-20 12:59:37 +00:00
98e0777b34
Update credential_access_suspicious_web_browser_sensitive_file_access.toml ( #3691 )
...
(cherry picked from commit ec27bf8545
2024-05-18 04:38:02 +00:00
6e25eabf71
[FR] Add --force flag to update-lock-versions ( #3693 )
...
* Add --force flag to update-lock-versions
* Add type hinting
(cherry picked from commit 707ca32ab1
2024-05-18 00:33:11 +00:00
0e8cce28e9
[Bug] Support spaces with capital letters ( #3689 )
...
(cherry picked from commit 43b3a4b080
2024-05-17 14:12:47 +00:00
06ef471c39
[FR] Normalize yml ext to yaml ( #3675 )
2024-05-15 17:08:01 -05:00
2d96f10725
[FR] Normalize yml ext to yaml ( #3675 )
...
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 79f575b33c
2024-05-15 20:27:01 +00:00
1d7e597662
[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId ( #3677 )
...
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f0b226c2b0
2024-05-15 17:20:18 +00:00
ad7a8afb32
[Rule Tuning] Windows Service Installed via an Unusual Client ( #3671 )
...
* [Rule Tuning] Windows Service Installed via an Unusual Client
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 0eef7f62ff
2024-05-15 13:39:59 +00:00
ed48d9fd57
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12,8.13,8.14 ( #3676 )
...
(cherry picked from commit f3585da503
2024-05-15 11:41:56 +00:00
891da3623d
Prepare For Next Elastic Stack 8.15 ( #3670 )
...
Removed changes from:
- detection_rules/etc/packages.yml
(selectively cherry picked from commit 50a8b52cd5
2024-05-14 19:10:09 +00:00
ca8af123d2
[FR] Add max_signal note, unit test, and rule tuning ( #3669 )
...
(cherry picked from commit f07a9e6fbc
2024-05-14 16:23:18 +00:00
a4b38209b4
[New Rule] Building Block Rule - AWS IAM Login Profile Added to User ( #3633 )
...
* new rule 'AWS IAM Login Profile Added to User'
* Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules_building_block/persistence_aws_iam_login_profile_added_to_user.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 608b801088
2024-05-14 15:18:38 +00:00
shashank-elastic