e18c26d9be
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot ( #1632 )
...
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot
Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).
* adding extra ref url
(cherry picked from commit e3b76b7cf7
2021-12-08 10:17:12 +00:00
f393cc35a0
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules ( #1620 )
...
* Replaces event.code with event.category
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 851c566730
2021-12-08 06:33:39 +00:00
5589c47eab
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
...
(cherry picked from commit 14c46f50b9
2021-12-08 00:44:11 +00:00
6bc87199f0
[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL ( #1651 )
...
* Update command_and_control_download_rar_powershell_from_internet.toml
* bump updated_date
(cherry picked from commit 7b0383ffe2
2021-12-07 12:10:07 +00:00
6a91e9f91b
Limit index to logs-endpoint.events ( #1647 )
...
(cherry picked from commit f6a2437cf8
2021-12-06 16:46:17 +00:00
89b75b9792
[New Rule] Suspicious Process Creation CallTrace ( #1588 )
...
* [New Rule] Suspicious Process Creation CallTrace
* Update non-ecs-schema.json
* added min stack vers
* min_stack_vers not needed
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d43e3d8e4e
2021-11-30 20:36:43 +00:00
33030f09fa
[Rule Tuning] Support ECS 1.11 field for IM rule ( #1560 )
...
* Support ecs field for IM rule
* update time interval
* Change additional lookback to 5 minutes
* Add old rule
* Add newline
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Remove im legacy rule
* Udpdate name and description
* Remove min_stack_comment
* Keep 2 IM rule
* add min_stack_comments to rule
* Update rules/cross-platform/threat_intel_indicator_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adds new rules
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ece Özalp <ozale272@newschool.edu >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
(cherry picked from commit c619844b0d
2021-11-30 18:26:44 +00:00
67f77a3fcb
[New Rule] Azure Kubernetes Rolebindings Created ( #1576 )
...
* Create azure_kubernetes_rolebinding_created_or_deleted.toml
* Update
* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 521f0987ae
2021-11-29 12:17:03 +00:00
526c4e2678
[New Rule] Clearing Windows Console History ( #1623 )
...
* Create defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* bump severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 13fc69b70a
2021-11-25 16:26:25 +00:00
89c49a34b5
[New Rule] Windows Firewall Disabled ( #1565 )
...
* Create defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 2ac19440c2
2021-11-24 21:35:08 +00:00
ac69faedbf
[Rule Tuning] Component Object Model Hijacking ( #1491 )
...
* Update persistence_suspicious_com_hijack_registry.toml
Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.
* Update updated_date
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dd3e924e4a
2021-11-24 11:58:44 +00:00
e3adb3e089
[New Rule] Potential Credential Access via Renamed COM+ Services DLL ( #1569 )
...
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL
* update dates
* adding config note
* relinted
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update minstack version
* minstack not needed, rule should work on previous versions
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d1636258e4
2021-11-18 09:28:55 +00:00
24ef481853
[New Rule] Account Password Reset Remotely ( #1571 )
...
* [New Rule] Account Password Reset Remotely
* Update non-ecs-schema.json
* udpate ruleId
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 53a17e6b06
2021-11-18 09:27:02 +00:00
03db89e733
[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed ( #1579 )
...
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3dd32608a0
2021-11-17 22:39:09 +00:00
c434a5dbb5
[New Rule] PowerShell Keylogging Script ( #1561 )
...
* Create collection_posh_keylogger.toml
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix missing OR
* Change dup guid
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 4b6794df32
2021-11-17 22:37:50 +00:00
cb85a35e7a
[Rule Tuning] Suspicious CertUtil Commands ( #1564 )
...
(cherry picked from commit ab521f7c4f
2021-11-17 20:42:11 +00:00
791c8f9864
[New Rule] Potential Process Injection via PowerShell ( #1552 )
...
* Create defense_evasion_posh_process_injection.toml
* Update defense_evasion_posh_process_injection.toml
* Update description
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9c54e21820
2021-11-17 10:34:19 +00:00
2f3519d882
[New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot ( #1550 )
...
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
* lint
* Update etc/non-ecs-schema.json
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* moved FP txt to Note.
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update etc/non-ecs-schema.json
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* fix json
* Update credential_access_suspicious_lsass_access_via_snapshot.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit e99478db00
2021-11-17 07:46:35 +00:00
7d806b4d3c
[New Rule] Potential Credential Access via LSASS Memory Dump ( #1533 )
...
* [New Rule] Potential Credential Access via LSASS Memory Dump
* Update credential_access_suspicious_lsass_access_memdump.toml
* fix typo in calltrace and event.code type
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_suspicious_lsass_access_memdump.toml
* added TargetImage to non ecs schema
* Update non-ecs-schema.json
* format
* Update credential_access_suspicious_lsass_access_memdump.toml
* Update credential_access_suspicious_lsass_access_memdump.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit c18c08a976
2021-11-17 07:37:33 +00:00
77ffac81e2
[New Rule] PowerShell Suspicious Script with Audio Capture Capabilities ( #1582 )
...
(cherry picked from commit 858d1cf12c
2021-11-16 06:20:37 +00:00
ef4fc086ee
Remove 7.15+ rules from 7.14 branch ( #1613 )
...
* Remove 7.15+ rules from 7.14 branch
2021-11-15 14:35:28 -09:00
cb1a765524
[New Rule] Suspicious Process Access via Direct System Call ( #1536 )
...
* [New Rule] Suspicious Process Access via Direct System Call
* updated query to catch also CallTrace with non ntdll modules
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update defense_evasion_suspicious_process_access_direct_syscall.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
(cherry picked from commit 81a62f5f68
2021-11-15 09:19:40 +00:00
25bfddb291
[Rule Tuning] Rename extrac.exe to extrac32.exe ( #1601 )
...
(cherry picked from commit 017d9a51b7
2021-11-15 02:02:16 +00:00
f656c7bc25
Fix Windows path causing emoji to be rendered in Kibana ( #1585 )
...
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.
Surrounding the path in backticks fixes it.
(cherry picked from commit aa219710a1
2021-11-03 16:02:33 +00:00
2c197b57fb
Change interval and lookback time for IM rule ( #1596 )
...
(cherry picked from commit f47b0f61cc
2021-11-01 08:28:42 +00:00
365c2a73f2
[Rule Tuning] Hosts File Modified - add process check for linux ( #1593 )
...
* [Rule Tuning] Hosts File Modified - add process check for linux
* add echo and sed to process names in query
(cherry picked from commit ff16832003
2021-10-29 03:57:38 +00:00
cb3d90040e
[Bug] Tighten definitions validation patterns ( #1396 )
...
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
(cherry picked from commit ab17dfcc28
2021-10-26 15:27:32 +00:00
cd3cef5996
[Rule Tuning] Added Powershell_ise.exe to some rules. ( #1566 )
...
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_webshell_detection.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_system_shells_via_services.toml
* Update collection_email_powershell_exchange_mailbox.toml
* Update command_and_control_remote_file_copy_powershell.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_disabling_windows_defender_powershell.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_suspicious_zoom_child_process.toml
* Update execution_scheduled_task_powershell_source.toml
* Update execution_via_compiled_html_file.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update persistence_local_scheduled_task_creation.toml
* Update persistence_local_scheduled_task_scripting.toml
* Update persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update persistence_system_shells_via_services.toml
* Update persistence_webshell_detection.toml
* Update rules/windows/persistence_local_scheduled_task_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit ef7548f04c
2021-10-26 15:17:37 +00:00
fa4bec7b9a
[New Rule] PowerShell MiniDump Script ( #1528 )
...
* PowerShell MiniDump Script Initial Rule
* Update credential_access_posh_minidump.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_posh_minidump.toml
* Update rules/windows/credential_access_posh_minidump.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 239384497f
2021-10-26 15:10:20 +00:00
5ca067e3e3
Add missing Integration field ( #1537 )
...
* Add missing Integration field
* Bump updated_date
* Add test for integration<->path
* Fix rule folder
* bump updated date in rule
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 4524c175c8
2021-10-26 15:06:32 +00:00
ba09596949
[New Rule] AWS Route Table Created ( #1257 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create persistence_route_table_created.toml
* Update persistence_route_table_created.toml
* Update rules/persistence_route_table_created.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update persistence_route_table_created.toml
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_table_created.toml
* Update
* Update
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 89553d84a9
2021-10-26 13:26:56 +00:00
e81362e6ec
Add test for improper rule demotion (released production -> development) ( #1555 )
...
(cherry picked from commit 5a69ceb0c5
2021-10-20 05:48:26 +00:00
a28bb7961a
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
(cherry picked from commit 5bdf70e72c
2021-10-20 04:53:52 +00:00
27da0d6ed7
[New Rule] Suspicious Portable Executable Encoded in Powershell Script ( #1562 )
...
* Create execution_posh_portable_executable.toml
* Add wildcard
* Remove the wildcard
* Update rules/windows/execution_posh_portable_executable.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f50fb1d61b
2021-10-18 20:51:12 +00:00
db54ea7467
[New Rule] AWS EventBridge Rule Disabled or Deleted ( #1572 )
...
* Create aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update aws_eventbridge_rule_disabled_or_deleted.toml
* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 3ab67d1562
2021-10-18 18:37:29 +00:00
b1e60b6c45
[New Rule] DNS-over-HTTPS Enabled by Registry ( #1379 )
...
* Create defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update defense_evasion_dns_over_https_enabled.toml
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update defense_evasion_dns_over_https_enabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
(cherry picked from commit cf2b3ee753
2021-10-16 02:26:11 +00:00
66f447cfff
[New Rule] AWS EFS File System or Mount Deleted ( #1462 )
...
* AWS EFS File System or Mount Deleted
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update impact_efs_filesystem_or_mount_deleted.toml
* Update impact_efs_filesystem_or_mount_deleted.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 2c39bb962f
2021-10-16 02:24:00 +00:00
1771e33876
[New Rule] AWS Suspicious SAML Activity ( #1498 )
...
* Create privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Update privilege_escalation_aws_suspicious_saml_activity.toml
* Add trailing /
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 702524b1f7
2021-10-16 02:12:06 +00:00
b090e60bd6
[New Rule] Azure Full Network Packet Capture Detected ( #1420 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Create exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Update exfiltration_azure_full_network_packet_capture_detected.toml
* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 50501bb40f
2021-10-16 02:07:22 +00:00
69dbb5f655
[New Rule] Azure Virtual Network Device Modified or Deleted ( #1421 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_virtual_network_device_modified.toml
* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml
* fix description
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 790586fb57
2021-10-15 19:12:07 +00:00
af3571ea6e
[New Rule] Azure Kubernetes Pods Deleted ( #1309 )
...
* Create impact_kubernetes_pod_deleted.toml
* Update impact_kubernetes_pod_deleted.toml
* Update
* Update impact_kubernetes_pod_deleted.toml
* quote value in query
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 761df5fe84
2021-10-15 19:08:48 +00:00
ecc65a28bc
[New Rule] AWS RDS Snapshot Restored ( #1312 )
...
* Create exfiltration_rds_snapshot_restored.toml
* Update exfiltration_rds_snapshot_restored.toml
* Delete exfiltration_rds_snapshot_restored.toml
* Create exfiltration_rds_snapshot_restored.toml
* Update
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update exfiltration_rds_snapshot_restored.toml
* Update exfiltration_rds_snapshot_restored.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dc980effb0
2021-10-15 19:06:07 +00:00
8c2c6ea6ec
[New Rule] Microsoft 365 - Mass download by a single user ( #1348 )
...
* Create impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update impact_microsoft_365_mass_download_by_a_single_user.toml
* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 3303a4e255
2021-10-15 19:02:52 +00:00
9021db6188
[New Rule] AWS Route53 hosted zone associated with a VPC ( #1365 )
...
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 90504915ad
2021-10-15 19:01:20 +00:00
25733e1d67
[New Rule] AWS STS AssumeRole Usage ( #1214 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create lateral_movement_sts_assumerole_abuse.toml
* Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update privilege_escalation_sts_assumerole_abuse.toml
* Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml
* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add note field
* Update privilege_escalation_sts_assumerole_usage.toml
* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Adding Reference
* Expand STS
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit d7eab5bbf3
2021-10-15 18:57:13 +00:00
8bb2d27451
[New Rule] GCP Kubernetes Rolebindings Created or Patched ( #1267 )
...
* Update impact_iam_deactivate_mfa_device.toml
https://github.com/elastic/detection-rules/issues/1111
* Update impact_iam_deactivate_mfa_device.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
"*ipapi.co",
"*ip-lookup.net",
"*ipstack.com"
* Update rules/aws/impact_iam_deactivate_mfa_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"
This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.
* Update
* New Rule: Okta User Attempted Unauthorized Access
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml
* Create persistence_new-or-modified-federation-domain.toml
* Delete persistence_new-or-modified-federation-domain.toml
* Create credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update
* Update .gitignore
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update credential_access_gcp_kubernetes_rolebindings_creation.toml
* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml
* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* remove space from query
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 27ba204f1c
2021-10-15 18:43:23 +00:00
8f55556006
[New Rule] Azure Blob Permissions Modification ( #1499 )
...
* Create defense_evasion_azure_blob_permissions_modified.toml
* Update defense_evasion_azure_blob_permissions_modified.toml
* Update defense_evasion_azure_blob_permissions_modified.toml
* Update description and query (spacing)
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 7123d46623
2021-10-14 10:00:28 +00:00
358585b2c1
[New Rule] Azure Kubernetes Events Deleted ( #1307 )
...
* Create defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update defense_evasion_kubernetes_events_deleted.toml
* Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Add quotes to azure query field
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3d15c2072d
2021-10-14 09:58:32 +00:00
fe36864c77
[New Rule] PowerShell Suspicious Discovery Related Windows API Functions ( #1548 )
...
* PowerShell Suspicious Discovery Related Windows API Functions Initial Rule
* Update severity
* Lint
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b7dcbbae72
2021-10-14 09:55:50 +00:00
8964e5d646
[Rule Tuning] Update network.direction ( #1547 )
...
* Update network.direction
* bump updated_date
(cherry picked from commit cc241c0b5e
2021-10-14 00:47:33 +00:00
Samirbous