886ce70678
[New Rule] Process Capability Set via setcap Utility ( #3744 )
...
* [New Rule] Process Capability Set via setcap Utility
* ++
* Update rules/linux/persistence_process_capability_set_via_setcap.toml
(cherry picked from commit d3e2f70ce2
2024-06-06 10:47:40 +00:00
71394edb86
[Rule Tuning] System Binary Moved or Copied ( #3742 )
...
* [Rule Tuning] System Binary Moved or Copied
* Added reference
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
(cherry picked from commit 8e6114f76c
2024-06-06 10:27:50 +00:00
fb82c0fe1b
[Rule Tuning] Potential Sudo Hijacking ( #3745 )
...
* [Rule Tuning] Potential Sudo Hijacking
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
(cherry picked from commit 61ab035f41
2024-06-06 10:02:23 +00:00
1d6361dece
[New Rule] SSH Key Generated via ssh-keygen ( #3731 )
...
* [New Rule] SSH Key Generated via ssh-keygen
* ++
* Update rules/linux/persistence_ssh_key_generation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 342fde097f
2024-06-06 09:53:51 +00:00
522719cc9e
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded ( #3634 )
...
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* changed tactic to privilege escalation
* added additional reference
* added investigation guide
* updated summary
* changed risk score to medium; adjusted tags
* fixed mitre mapping
* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 9f67585332
2024-06-05 14:36:53 +00:00
124fdc93a7
[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag ( #3590 )
...
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'
* updated rule contents
* added investigation guide; changed new terms to uder.id
* adjusted time window
* adjusted rule name
* updated query, adjusted new terms value
(cherry picked from commit 05ac4e1bd3
2024-06-05 14:26:05 +00:00
9475cf942d
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created ( #3609 )
...
* new rule 'AWS IAM Roles Anywhere Role Creation'
* adjusted rule to focus on Roles Anywhere profile creation
* added rule for roles anywhere trusted anchor; updated rule file naming
* added investigation guide
* added investigation guide
* adjusted rule and file name
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit c77eb1d915
2024-06-05 14:14:27 +00:00
6ff8f3a75f
[Rule Tuning] Shell Configuration Creation or Modification ( #3732 )
...
* [Rule Tuning] Shell Configuration Creation or Modification
* Incompatible endgame field
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 5f36f3a03e
2024-06-05 08:31:16 +00:00
1b3ccdd1d5
[Rule Tuning] Message-of-the-Day (MOTD) ( #3730 )
...
* [Rule Tuning] Message-of-the-Day (MOTD)
* Update persistence_message_of_the_day_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit e41a57f2ad
2024-06-05 08:21:58 +00:00
2d55e67da7
[Rule Tuning] Systemd Service & Timer ( #3728 )
...
* [Rule Tuning] Systemd Service & Timer
* Update
* Update persistence_systemd_scheduled_timer_created.toml
* Update persistence_systemd_service_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit bebf671881
2024-06-05 08:04:19 +00:00
8eea11e6ab
[New Rule & Tuning] (Ana)Cron & At Job Creation ( #3726 )
...
* [New Rule & Tuning] (Ana)Cron & At Job Creation
* Update persistence_at_job_creation.toml
* Update persistence_cron_job_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_at_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 81ee6380ec
2024-06-05 07:56:52 +00:00
06660cb2e1
Refresh MITRE Attack v15.1.0 ( #3725 )
...
(cherry picked from commit e357a2c050
2024-06-04 14:48:18 +00:00
d7db6be0aa
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager ( #3589 )
...
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'
* updated user identity arn to user.id for cross-service password retrieval
* added investigation guides; bumped dates; adjusted threshold value
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 59b7e3bde4
2024-06-04 13:23:16 +00:00
b719927d66
[Rule Tuning] Agent Spoofing ( #3729 )
...
(cherry picked from commit 90bb8b53d8
2024-06-03 17:31:40 +00:00
6924fddf65
[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation ( #3632 )
...
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'
* updated rule UUID
* added investigation guide
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 0885032b2c
2024-06-03 15:46:31 +00:00
1b586e7485
[New Rule] AWS Lambda Layer Added to Existing Function ( #3631 )
...
* new rule 'AWS Lambda Layer Added to Existing Function'
* updated query logic; added investigation note
(cherry picked from commit 70469b4cdb
2024-06-02 12:44:13 +00:00
9b487a7ea3
[New Rule] AWS S3 Bucket Policy Added to Share with External Account ( #3603 )
...
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'
* added investigation guide
* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
(cherry picked from commit 7c82e75cf4
2024-06-01 14:34:49 +00:00
032a8c9623
[New Rule] AWS GetCallerIdentity API Called for the First Time ( #3711 )
...
* [New Rule] AWS GetCallerIdentity API Called for the First Time
issue
* Apply suggestions from code review
name change, false positive additions, remove Setup, change new_terms window from 15d to 10d
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
fixed missing closing quotes
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 23ce41d8af
2024-05-31 21:58:11 +00:00
9a92326b0d
Remove unwanted backticks ( #3724 )
...
(cherry picked from commit 418a95205e
2024-05-31 16:19:24 +00:00
444ae196ac
Add exceptions to brute force threshold rule. ( #3712 )
...
High volume, machine generated failures or MFA interruptions have been added to the rule.
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 34294fbe6d
2024-05-30 08:16:09 +00:00
e1230b6b26
Update rule setup instructions for UEBA packages ( #3652 )
...
* update detection-rules instructions for UEBA packages
---------
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
(cherry picked from commit 8b28a515c1
2024-05-28 19:24:45 +00:00
a32759a51f
[New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance ( #3598 )
...
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'
* added investigation guide
* changed file name to match tactic
* changed reference
* updated tags
* updated investigation notes
* changed new terms value; adjusted rule name
(cherry picked from commit d5c57463e1
2024-05-28 15:26:33 +00:00
2691273c93
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports ( #3599 )
...
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'
* updated rule name
* changed file name; added false-positive note
* changed rule UUID
* adjusted file name
* updated tags
* added investigation guide; updated query logic
* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated query and name
* updated query optimization
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
(cherry picked from commit 527f785a60
2024-05-28 14:52:40 +00:00
0295db4b6b
[New Rule & Tunings] Linux Springtail Backdoor ( #3692 )
...
* [New Rules and Tuning] Springtail backdoor
* consistency formatting
* update
* unit testing formatting change
* Update persistence_systemd_service_started.toml
* Update persistence_systemd_service_started.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
(cherry picked from commit 390629da4e
2024-05-24 08:13:21 +00:00
8975b5de18
Update impact_high_freq_file_renames_by_kernel.toml ( #3707 )
...
(cherry picked from commit 603f3c313a
2024-05-23 17:03:14 +00:00
18fcd83683
Back-porting Version Trimming ( #3704 )
...
(cherry picked from commit 63e91c2f12
2024-05-22 19:18:10 +00:00
bc95221e93
[New Rule] AWS S3 Bucket Expiration Lifecycle Configuration Added ( #3591 )
...
* new rule 'AWS S3 Bucket Expiration Lifecycle Configuration Added'
* added investigation guide
* updated query logic
(cherry picked from commit 137b74c3aa
2024-05-20 20:23:52 +00:00
e7959e88b9
[Bug] Fix test_os_and_platform_in_query test and rules ( #3695 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit ce21acef9c
2024-05-20 15:51:28 +00:00
0ab70f13a4
[Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs ( #3627 )
...
* [Rule Tuning] Add Initial SentinelOne Compatibility
* updated definitions.py; updated tags; fixed unit tests
* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks
* updating manifests and integrations
* fixing flake errors
* min_stack
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit d023ad66b1
2024-05-20 12:59:37 +00:00
98e0777b34
Update credential_access_suspicious_web_browser_sensitive_file_access.toml ( #3691 )
...
(cherry picked from commit ec27bf8545
2024-05-18 04:38:02 +00:00
1d7e597662
[Tuning] Suspicious Microsoft 365 Mail Access by ClientAppId ( #3677 )
...
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit f0b226c2b0
2024-05-15 17:20:18 +00:00
ad7a8afb32
[Rule Tuning] Windows Service Installed via an Unusual Client ( #3671 )
...
* [Rule Tuning] Windows Service Installed via an Unusual Client
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 0eef7f62ff
2024-05-15 13:39:59 +00:00
ca8af123d2
[FR] Add max_signal note, unit test, and rule tuning ( #3669 )
...
(cherry picked from commit f07a9e6fbc
2024-05-14 16:23:18 +00:00
9dceb36a7e
[New Rule] Route53 Resolver Query Log Configuration Deleted ( #3592 )
...
* new rule 'Route53 Resolver Query Log Configuration Deleted'
* added investigation guide
* adjusted investigation notes
* Update rules/integrations/aws/defense_evasion_route53_dns_query_resolver_config_deletion.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 2375297879
2024-05-14 14:32:44 +00:00
cbac37db59
[New] Unusual Execution via Microsoft Common Console File ( #3663 )
...
* [New] Unusual Execution via Microsoft Common Console File
https://www.genians.co.kr/blog/threat_intelligence/facebook
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_initial_access_via_msc_file.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_initial_access_via_msc_file.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit a1ef8c9fc0
2024-05-14 14:16:02 +00:00
95fd920afe
[New] Potential File Download via a Headless Browser ( #3660 )
...
* [New] Potential File Download via a Headless Browser
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_common_webservices.toml
* Update command_and_control_headless_browser.toml
* Update command_and_control_headless_browser.toml
(cherry picked from commit 83462a3087
2024-05-14 13:04:35 +00:00
f918f091c3
[New Rule] AWS EC2 AMI Shared with Another Account ( #3600 )
...
* new rule 'AWS EC2 AMI Shared with Another Account'
* linted; updated UUID
* added investigation guide
* updated description
* fixed spelling errors
* Update rules/integrations/aws/exfiltration_ec2_ami_shared_with_separate_account.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* fixed spacing issue
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit d505b95f3c
2024-05-14 06:04:20 +00:00
727e7ada2e
[New Rule] First Occurrence of User Identity Retrieving Credentials from EC2 Instance with an Assumed Role ( #3586 )
...
* new rule 'First Occurrence of User Identity Sending Requests to EC2 Instance'
* updated description and name
* added investigation guide; adjusted description
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* updated query logic
* fixed spacing issue
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
* Update rules/integrations/aws/credential_access_aws_getpassword_for_ec2_instance.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 38e0f13e23
2024-05-14 03:15:43 +00:00
2f88a93d62
[New Rule] Alternate Data Stream Creation at Volume Root Directory ( #3517 )
...
* [New Rule] Alternate Data Stream Creation at Volume Root Directory
* Update defense_evasion_root_dir_ads_creation.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 6150f222b2
2024-05-13 11:42:34 +00:00
c915b9959d
[Tuning] MacOS Comprehensive Detection Rule Tuning ( #3435 )
...
* Update to use new data source
* Exclude FPs
* Update logic
* Exclude FPs
* Update to match ER logic
* Exclude FP
* Update to match endpoint rule and reduce FPs
* Update logic to reduce FPs
* Update logic to reduce FPs
* Exclude FPs
* Update logic to remove FPs
* Update logic to reduce FPs
* Update logic and min stack version to reduce FPs
* Exclude FP
* Remove FPs
* Update logic and min stack to reduce FPs
* Exclude FPs
* Update logic and min stack to exclude FPs
* Update logic and min stack to exclude FPs
* Update logic to be more efficient
* Update logic
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
* Update persistence_folder_action_scripts_runtime.toml
* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/credential_access_credentials_keychains.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/persistence_loginwindow_plist_modification.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Fix
* Fix
* Fix
* Update min stack comments
* Update rules/macos/persistence_credential_access_authorization_plugin_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/credential_access_suspicious_web_browser_sensitive_file_access.toml
* Update rules/macos/credential_access_systemkey_dumping.toml
* Update rules/macos/discovery_users_domain_built_in_commands.toml
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml
* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml
* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml
* Update rules/macos/persistence_folder_action_scripts_runtime.toml
* Remove field
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 1fb58e1b61
2024-05-11 17:59:28 +00:00
2e270cf78c
[New Rule] Potential PowerShell HackTool Script by Author ( #2472 )
...
* [New Rule] Potential PowerShell HackTool Script by Author
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update execution_posh_hacktool_authors.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit f85d7482fd
2024-05-09 16:08:45 +00:00
ae6bb88edb
[Tuning] Component Object Model Hijacking ( #3655 )
...
* [Tuning] Component Object Model Hijacking
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
* Update persistence_suspicious_com_hijack_registry.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 7a61070e08
2024-05-08 16:52:11 +00:00
4bbb8c2642
[New] Ransomware over SMB ( #3638 )
...
* [New] Ransomware over SMB
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_ransomware_file_rename_smb.toml
* ++
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_high_freq_file_renames_by_kernel.toml
* Update impact_ransomware_file_rename_smb.toml
* Update impact_ransomware_note_file_over_smb.toml
* Update impact_high_freq_file_renames_by_kernel.toml
(cherry picked from commit 4a2e2764cd
2024-05-07 05:46:07 +00:00
d3faf0d0d6
[New Rule] Shell Configuration Modification ( #3629 )
...
* [New Rule] Shell Configuration Modification
* description update
* uuid update
* query update
* query update
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit e29994c338
2024-04-30 11:48:38 +00:00
f7215a7ced
[Rule Tuning] Linux DRs ( #3628 )
...
(cherry picked from commit 115c3a6dfd
2024-04-30 11:33:56 +00:00
55a17e12db
[New] Potential privilege escalation via CVE-2022-38028 ( #3616 )
...
* [New] Potential privilege escalation via CVE-2022-38028
https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
* Update privilege_escalation_exploit_cve_202238028.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 8f6de1c235
2024-04-29 14:18:06 +00:00
868ab80c63
Fix minstack version for 0365 in azure integration rules ( #3612 )
...
(cherry picked from commit 7673ba484d
2024-04-22 13:55:15 +00:00
bda38d6f27
updating performance note ( #3608 )
...
(cherry picked from commit 69d42ecc71
2024-04-18 20:43:50 +00:00
fea73c9686
[New Rule] Potential Windows Session Hijacking via CcmExec ( #3602 )
...
* [New Rule] Potential Windows Session Hijacking via CcmExec
* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 6ae0902a38
2024-04-18 16:05:03 +00:00
4562d694b0
[Rule Tuning] Further Tight up Elastic Defend Index Patterns ( #3584 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 5004ff115c
2024-04-16 16:34:23 +00:00
Ruben Groenewoud