e22f60f44c
[Tuning] AWS IAM Create User via Assumed Role on EC2 Instance ( #5063 )
...
- query change : I chose to replace `aws.cloudtrail.user_identity.arn` with `user.id` and a more accurate wildcard pattern. This will reduce the chances of this rule triggering for role sessions outside of those started by EC2 instances. The wildcard pattern looks for a role session name that starts with `i-` this is because when an EC2 instance operates using it's attached Role (instance profile), the session name attached to that role name is the instance id (`i-......`). The `user.id` field appends this session name to the role name via a standard pattern `:[session_name]`, making it a more reliable field to use in this case.
- small edits to description and IG
- reduced execution window
- reduced history window
- edited highlighted fields
Note: the new_terms field here remains `aws.cloudtrail.user_identity.arn` because we are only interested in assumed roles, and even more particular, only those used by an EC2 instance. This means we want to evaluate each individual instance's behavior rather than the broader behavior of the role itself. The arn field will capture each instance id (session name) alongside the role itself.
2025-09-11 15:11:40 -04:00
e60c345656
Bootstrap repository ( #5085 )
2025-09-11 13:24:59 -05:00
f0f7d217c0
[FR] Refactor Schema Validation & Support Multi-Dataset Sequence Validation ( #5059 )
2025-09-10 13:11:04 -05:00
25539fd6c6
Delete Development Rules ( #5084 )
2025-09-10 23:24:28 +05:30
6adee51410
Fix Ruff failures ( #5083 )
2025-09-10 22:24:07 +05:30
822f649715
Fix updated_date for tunings as part of #5079 ( #5081 )
2025-09-10 22:05:36 +05:30
a6dfd2c0e1
Add test_min_stack_version_supported testcase ( #5077 )
2025-09-10 20:12:36 +05:30
c6406e97c2
Tune Rules that have unsupported versions in min_stack_version ( #5079 )
2025-09-10 19:43:28 +05:30
392e0253c3
[Rule Tuning] Beats & Endgame Indices ( #5072 )
2025-09-09 13:19:13 -05:00
35b000b7ab
[FR] Add negate DOES NOT MATCH capability to IM rule type (>=9.2) ( #5041 )
2025-09-09 10:58:53 -05:00
0f0f16bdee
[Rule Tuning] D-Bus Service Created ( #5076 )
2025-09-09 15:33:58 +02:00
375082729a
[Rule Tuning] Adjust process.code_signature.trusted condition ( #5067 )
...
* [Rule Tuning] Adjust process.code_signature.trusted condition
* typo
2025-09-08 08:42:17 -07:00
6ac71050dc
[Rule Tuning] Remote File Download via PowerShell ( #5062 )
...
* [Rule Tuning] Remote File Download via PowerShell
* Update command_and_control_remote_file_copy_powershell.toml
* Update rules/windows/command_and_control_remote_file_copy_powershell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update command_and_control_remote_file_copy_powershell.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-09-08 07:59:53 -07:00
4aa6c4e715
[Rule Tuning] Untrusted Driver Loaded ( #5061 )
...
* [Rule Tuning] Untrusted Driver Loaded
* Update defense_evasion_untrusted_driver_loaded.toml
2025-09-05 06:12:30 -07:00
9ee15a13b0
[Rule Tuning] Connection to Commonly Abused Web Services ( #5060 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2025-09-04 11:58:13 -07:00
cbb892b4bc
[Bug] Incorrect Integrations Schema Parsing for Nested Fields ( #5058 )
...
* Add proper handling for nested fields
* Updated schemas
* bump patch
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-04 14:12:33 -04:00
3c1de72f6b
[FR] Add support for 5 group_by fields in threshold rules (>=9.2) ( #5040 )
2025-09-04 09:24:36 -05:00
b4db783413
Tune a Tag discrepency in rule ( #5053 )
2025-09-02 21:12:06 +05:30
0bbad3bbf8
Update defense_evasion_modify_ownership_os_files.toml ( #5051 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-02 08:18:35 -07:00
ef7ff52119
[Rule Tuning] Misc. Linux ES|QL Rules ( #5050 )
...
* [Rule Tuning] Misc. Linux ES|QL Rules
* update date bump
* ++
* Update persistence_web_server_sus_child_spawned.toml
* Update working directory conditions in TOML file
2025-09-02 13:49:22 +02:00
f2291e0261
Lock versions for releases: 8.18,8.19,9.0,9.1 ( #5049 )
2025-09-01 23:19:12 +05:30
8d2ea9220b
[New Rules] Potential Relay Attack against a Computer Account ( #4826 )
...
* [New Rules] Potential Relay Attack against a Computer Account Rules
* update description
* .
* add min_stack
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-09-01 10:07:37 -07:00
464fb3951e
[Tuning] Unusual Network Activity from a Windows System Binary ( #5048 )
2025-09-01 22:17:53 +05:30
a31b3a36ad
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10 ( #5025 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 10
* Update rules/windows/execution_shared_modules_local_sxs_dll.toml
* pending adjustments
* Update execution_windows_cmd_shell_susp_args.toml
2025-09-01 09:30:21 -07:00
a62ee7a8a2
[New] Active Directory Discovery using AdExplorer ( #5047 )
...
* [New] Active Directory Discovery using AdExplorer
* Update discovery_ad_explorer_execution.toml
* Update rules/windows/discovery_ad_explorer_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_ad_explorer_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-09-01 16:58:22 +01:00
40794368a7
[New] Connection to Common Large Language Model Endpoints ( #5044 )
...
* [New] Connection to Common Large Language Model Endpoints
* [New] Connection to Common Large Language Model Endpoints
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_common_llm_endpoint.toml
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_common_llm_endpoint.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-09-01 16:47:31 +01:00
ba354ceff9
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 16 ( #5038 )
2025-09-01 08:25:52 -07:00
93ac471574
Monthly Schema Updates ( #5046 )
2025-09-01 20:42:42 +05:30
61af3e801d
[New] Potential System Tampering via File Modification ( #5043 )
...
* [New] Potential System Tampering via File Modification
* Update impact_mod_critical_os_files.toml
* Update rules/windows/impact_mod_critical_os_files.toml
* Create defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
* Update defense_evasion_modify_ownership_os_files.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-01 15:52:26 +01:00
e1205cb5c5
[New/Tuning] Windows Rules to detect top threats/TTPs 24/25 ( #5001 )
...
* [New/Tuning] Windows Top Threats 2024/2025
1) MSHTA:
- tuning to exclude FPs
- new rule `Remote Script via Microsoft HTML Application` compatible with 3d party EDR/sysmon/system/winlog integration and that does not require correlation or multiple type of events.
2) MSIEXEC:
* Update defense_evasion_mshta_susp_child.toml
* Update defense_evasion_script_via_html_app.toml
* Update defense_evasion_mshta_susp_child.toml
* Create defense_evasion_msiexec_remote_payload.toml
* Update defense_evasion_msiexec_remote_payload.toml
* ++
* Create execution_scripting_remote_webdav.toml
* Create execution_windows_fakecaptcha_cmd_ps.toml
* Create command_and_control_rmm_netsupport_susp_path.toml
* Update command_and_control_rmm_netsupport_susp_path.toml
* ++
* Update execution_jscript_fake_updates.toml
* Create command_and_control_dns_susp_tld.toml
* ++
* Create command_and_control_remcos_rat_iocs.toml
* Update execution_windows_fakecaptcha_cmd_ps.toml
* Update execution_scripts_archive_file.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* ++
* Create execution_nodejs_susp_patterns.toml
* Update execution_nodejs_susp_patterns.toml
* Update execution_windows_fakecaptcha_cmd_ps.toml
* Fix unit test errors
* Update defense_evasion_network_connection_from_windows_binary.toml
* Add system index
* Add tag
* Update rules/windows/command_and_control_remcos_rat_iocs.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Remove duplicate
* Update defense_evasion_msiexec_child_proc_netcon.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_masquerading_renamed_autoit.toml
* Create credential_access_browsers_unusual_parent.toml
* Update credential_access_browsers_unusual_parent.toml
* ++
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_remcos_rat_iocs.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_mshta_susp_child.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_windows_phish_clickfix.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update discovery_host_public_ip_address_lookup.toml
* Update execution_windows_phish_clickfix.toml
* Update rules/windows/defense_evasion_script_via_html_app.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_browsers_unusual_parent.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_host_public_ip_address_lookup.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/defense_evasion_msiexec_child_proc_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/execution_nodejs_susp_patterns.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update discovery_host_public_ip_address_lookup.toml
* Update rules/windows/command_and_control_dns_susp_tld.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_masquerading_renamed_autoit.toml
* Update defense_evasion_script_via_html_app.toml
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-09-01 15:41:51 +01:00
b2bc6021f2
[Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths ( #5037 )
...
* [Rule Tuning] 3rd Party EDR Compatibility - Adjust CS Windows Paths
* ++
* Update defense_evasion_workfolders_control_execution.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
2025-09-01 05:31:12 -07:00
dd918b1f80
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #5039 )
2025-09-01 05:09:31 -07:00
d9151c30ae
[Rule Tuning] M365 Portal Logins (Impossible & Atypical) ( #5031 )
...
* [Rule Tuning] M365 Portal Logins (Impossible & Atypical)
Fixes #5009
* updated new terms value
* fixed unit test failures
* Update rules/integrations/o365/initial_access_microsoft_365_portal_login_from_rare_location.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_portal_logins.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* adjusted rule name and file names
* fixed field mispelling
* fixed investigation guide
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-29 15:41:38 -04:00
d2791bf29a
[New Rule] Toolshell Exploit Chain Detections ( #4928 )
...
* adding toolshell attack chain rules for exploit and RCE
* updated query
* added references
* fixed references; linted
* Update rules/network/execution_potential_rce_via_toolshell.toml
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
* Update rules/network/initial_access_potential_toolshell_exploit_attempt.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* changed to BBR; lowered severity; adjusted queries
* Update rules_building_block/execution_potential_rce_via_toolshell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules_building_block/execution_potential_rce_via_toolshell.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* fixed from and interval failures
* changed file name
---------
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-29 15:17:52 -04:00
4aebb7dfc5
[Rule Tuning] Microsoft Entra ID Suspicious Session Reuse to Graph Access ( #4997 )
...
* tuning rule 'Microsoft Entra ID Suspicious Session Reuse to Graph Access'
* Update rules/integrations/azure/initial_access_entra_graph_single_session_from_multiple_addresses.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-08-29 14:57:25 -04:00
7e9ef00b79
[New Rule] Threat Intelligence Signal - Microsoft Defender for Office 365 ( #4994 )
...
* adding new rule 'Threat Intelligence Signal - Microsoft Defender for Office 365'
* added mitre mapping
* Update rules/integrations/o365/initial_access_defender_for_m365_threat_intelligence_signal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added note for max signals
* linted
* fixed unit test failure
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-08-29 14:41:34 -04:00
4b9e3887bb
[Rule Tuning] Multi-Factor Authentication Disabled for User ( #5006 )
...
* tuning rule 'Multi-Factor Authentication Disabled for User'
* adjusted query logic
* fixed query logic for optimization that passes unit tests; changed severity and risk back to medium
2025-08-29 13:20:12 -04:00
590cc9cbbd
[Tuning] First Occurrence of STS GetFederationToken Request by User ( #5007 )
...
Rule is executing as expected, however it is alerting on failed requests. Low alert telemetry.
This tuning:
- removed markdown and edited description to be more specific
- reduced execution window for 1 min lookback
- name change to add `AWS` consistent with all other rules
- added references that reflect in the wild threats and persistence usage
- increased risk_score and severity to medium accounting for usage as persistence mechanism in the wild
- added Persistence tag and Mitre tactic, technique, subtechnique
- added `event.outcome: success` criteria to query
- edited investigation guide to be more accurate reflection of steps required for investigating alert, including appropriate response action
- added highlighted fields
** Note: only IAMUser and Root user identities can call this actions so we can use `aws.cloudtrail.user_identity.arn` as the new terms field without worrying about Role vs Role + Session issue seen with other new_terms rules
2025-08-29 13:08:59 -04:00
4cde57de07
[Tuning] First Time AWS Cloudformation Stack Creation by User ( #5036 )
...
* [Tuning] First Time AWS Cloudformation Stack Creation by User
- corrected a creation_date error
- Removed `CreateStackSet` API call as this only creates a blueprint for creating stack instances across multiple AWS accounts and regions but does not actually create the resources
- Added `CreateStackInstances` API call which is used to create resources defined in the StackSet
- removed user from rule name as this also triggers for roles
- edited description and investigation guide
- added Mitre technique
* adding highlighted fields
2025-08-29 12:36:21 -04:00
79daf3fc68
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13 ( #5028 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 13
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 13:28:14 -07:00
ccedd45df1
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15 ( #5030 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 15
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* ++
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 13:07:38 -07:00
86dd350579
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14 ( #5029 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 14
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:50:59 -07:00
7eec833ec8
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12 ( #5027 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 12
* Update rules/windows/persistence_app_compat_shim.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:40:03 -07:00
41dd521546
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11 ( #5026 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 11
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:28:49 -07:00
9c08869575
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 9 ( #5024 )
2025-08-28 12:15:25 -07:00
be18b4db16
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8 ( #5023 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 8
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_wdac_policy_by_unusual_process.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 12:04:55 -07:00
48dfb759cd
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 7 ( #5022 )
2025-08-28 11:51:45 -07:00
1af98a6170
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6 ( #5021 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 6
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update defense_evasion_proxy_execution_via_msdt.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 11:37:15 -07:00
b91e73714e
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5 ( #5020 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 5
* Update defense_evasion_ms_office_suspicious_regmod.toml
2025-08-28 11:26:09 -07:00
85a0d27b13
[Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4 ( #5019 )
...
* [Rule Tuning] Windows 3rd Party EDR Compatibility - Part 4
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2025-08-28 11:05:42 -07:00
Isai