bec5211814
[Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod ( #875 )
...
* [Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod
* Update privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
* relinted
2021-02-04 16:29:53 +01:00
236c630c90
[Rule Tuning] Update rules using case sensitive wildcard function ( #904 )
...
* update rules using case sensitive wildcard function
* add appropriate spacing
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update ==
* Apply suggestions from code review
* remove info update index
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update persistence_evasion_hidden_local_account_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-04 10:23:32 -05:00
4a5085ee54
[Rule Tuning] Sudoers File Modification ( #873 )
...
* [Rule Tuning] Sudoers File Modification
* 2021!
* Update rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-02-03 17:57:40 +01:00
bf32dec5a4
Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main
...
# Conflicts:
# rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
2021-01-28 10:41:39 -09:00
3fc4aaec0f
[New Rule] Modification of OpenSSH Binaries ( #747 )
...
* [New Rule] Modification of SSH Binaries
* Update persistence_credential_access_modify_ssh_binaries.toml
* exclude unrelated auditbeat FP events
* updated TIDs and Tactics
* fix order of TIDs and Tactics
* relinted
* added libkeyutils.so used by Ebury Backdoor
loaded by all OpenSSH processes
* renamed
* conv to kql and added one FP
* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-28 19:46:30 +01:00
ebf365693e
[Rule Tuning] Deletion of Bash Command Line History ( #752 )
...
* [Rule Tuning] Deletion of Bash Command Line History
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2021-01-26 08:48:06 +01:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
e272800a5d
Add ATT&CK sub-technique support to CLI ( #614 )
...
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
2020-12-08 21:56:55 -09:00
6bc4a6b9bb
[New Rule] Linux System Log Files Deleted ( #461 )
...
* [New Rule] Linux System Log Files Deleted
* Update defense_evasion_log_files_deleted.toml
* Update rules/linux/defense_evasion_log_files_deleted.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added linux to rule name as sug by JLB
* ecs_version
* Update rules/linux/defense_evasion_log_files_deleted.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/defense_evasion_log_files_deleted.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/defense_evasion_log_files_deleted.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* adjusted format
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 17:34:33 +01:00
97ee8cc9ac
Refresh beats and ecs schemas and default to use latest to validate ( #570 )
...
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
2020-12-01 13:24:20 -09:00
eb487f9433
[New Rule] Timestomping using Touch Command ( #463 )
...
* [New Rule] Timestomping using Touch Command
* Update defense_evasion_timestomp_touch.toml
* added macOS tag
* Update rules/linux/defense_evasion_timestomp_touch.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 23:29:47 +01:00
f87f2a46f4
[Rule Tuning] Remove all rule timelines ( #466 )
2020-11-03 09:51:53 -09:00
da64bacac1
[Rule Tuning] Add timeline_title to rules with timeline IDs defined ( #452 )
2020-11-02 14:12:20 -09:00
a575cf9ff3
[Rule Tuning] Use cidrMatch for eql rules checking multiple IPs ( #431 )
2020-10-29 11:06:24 -08:00
0d3c35886c
Remove connection type from endpoint network rules ( #426 )
2020-10-28 12:35:34 -08:00
580db2c13e
Add timeline_id to detection rules ( #95 )
...
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
2065af89b1
[Rule Tuning] Tag Categorization Updates ( #380 )
...
* Add new categorization tags
* Change updated_date to 2020/10/26
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >, @bm11100
2020-10-26 13:50:45 -05:00
2460333595
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays ( #351 )
2020-09-30 16:16:04 -08:00
3c0d982d8f
[Rule Tuning] Mknod Process Activity ( #276 )
2020-09-24 13:27:16 -08:00
065bcd8018
Refresh ATT&CK data to v7.2 and expand threat validation ( #330 )
...
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
2020-09-23 22:03:29 -08:00
aec3ec31b9
Merge branch '7.9' into main
2020-08-27 15:54:44 -08:00
79a0dfefbe
Add ECS 1.6.0 schema for validation testing ( #220 )
...
* Add ecs 1.6.0 and refresh master ecs (2.0.0)
* update rule metadata to use ecs_version 1.6.0
2020-08-27 11:54:49 -05:00
be08536880
Increase lookback for endpoint rules ( #200 )
2020-08-21 12:23:43 -05:00
7efe33e01d
[Rule Tuning] Update Index Pattern for Detection Engine Rules ( #101 )
...
* [Rule Tuning] Update Index Pattern for Detection Engine Rules
* update indices
2020-08-03 15:46:57 -04:00
95908c22a4
Improve ECS compatibility for endpoint rules
2020-07-07 15:41:23 -06:00
51fed4f537
Update defense_evasion_attempt_to_disable_iptables_or_firewall.toml ( #11 )
2020-07-02 11:31:19 -06:00
46a4008570
[Rule tuning] Fix evasion for disable iptables rule ( #5 )
2020-07-01 12:08:32 -06:00
5fcece8416
Populate rules/ directory.
...
Co-Authored-By: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-Authored-By: Craig Chamberlain <randomuserid@users.noreply.github.com >
Co-Authored-By: David French <56409778+threat-punter@users.noreply.github.com >
Co-Authored-By: Derek Ditch <dcode@users.noreply.github.com >
Co-Authored-By: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-06-29 22:57:03 -06:00
Samirbous