sigma-rules

Author	SHA1	Message	Date
Justin Ibarra	e5e0339430	min_stack all rules to 8.3 (#2259 ) * min_stack all rules to 8.3 * bump date Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co> Removed changes from: - rules/apm/apm_403_response_to_a_post.toml - rules/apm/apm_405_response_method_not_allowed.toml - rules/apm/apm_null_user_agent.toml - rules/apm/apm_sqlmap_user_agent.toml - rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml - rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml - rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml - rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml - rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml - rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml - rules/cross-platform/defense_evasion_timestomp_touch.toml - rules/cross-platform/discovery_security_software_grep.toml - rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml - rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml - rules/cross-platform/execution_revershell_via_shell_cmd.toml - rules/cross-platform/execution_suspicious_jar_child_process.toml - rules/cross-platform/execution_suspicious_java_netcon_childproc.toml - rules/cross-platform/impact_hosts_file_modified.toml - rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml - rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml - rules/cross-platform/persistence_shell_profile_modification.toml - rules/cross-platform/persistence_ssh_authorized_keys_modification.toml - rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml - rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml - rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml - rules/cross-platform/privilege_escalation_sudoers_file_mod.toml - rules/cross-platform/threat_intel_filebeat8x.toml - rules/cross-platform/threat_intel_fleet_integrations.toml - rules/integrations/aws/collection_cloudtrail_logging_created.toml - rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml - rules/integrations/aws/credential_access_iam_user_addition_to_group.toml - rules/integrations/aws/credential_access_root_console_failure_brute_force.toml - rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml - rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml - rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml - rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml - rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml - rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml - rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml - rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml - rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml - rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml - rules/integrations/aws/defense_evasion_waf_acl_deletion.toml - rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml - rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml - rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml - rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml - rules/integrations/aws/exfiltration_rds_snapshot_export.toml - rules/integrations/aws/exfiltration_rds_snapshot_restored.toml - rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml - rules/integrations/aws/impact_cloudtrail_logging_updated.toml - rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml - rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml - rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml - rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml - rules/integrations/aws/impact_iam_deactivate_mfa_device.toml - rules/integrations/aws/impact_iam_group_deletion.toml - rules/integrations/aws/impact_rds_group_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_deletion.toml - rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml - rules/integrations/aws/initial_access_console_login_root.toml - rules/integrations/aws/initial_access_password_recovery.toml - rules/integrations/aws/initial_access_via_system_manager.toml - rules/integrations/aws/ml_cloudtrail_error_message_spike.toml - rules/integrations/aws/ml_cloudtrail_rare_error_code.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml - rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml - rules/integrations/aws/persistence_ec2_network_acl_creation.toml - rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml - rules/integrations/aws/persistence_iam_group_creation.toml - rules/integrations/aws/persistence_rds_cluster_creation.toml - rules/integrations/aws/persistence_rds_group_creation.toml - rules/integrations/aws/persistence_rds_instance_creation.toml - rules/integrations/aws/persistence_redshift_instance_creation.toml - rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml - rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml - rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml - rules/integrations/aws/persistence_route_table_created.toml - rules/integrations/aws/persistence_route_table_modified_or_deleted.toml - rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml - rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml - rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml - rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml - rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml - rules/integrations/azure/collection_update_event_hub_auth_rule.toml - rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml - rules/integrations/azure/credential_access_key_vault_modified.toml - rules/integrations/azure/credential_access_storage_account_key_regenerated.toml - rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml - rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml - rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml - rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml - rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml - rules/integrations/azure/defense_evasion_event_hub_deletion.toml - rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml - rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml - rules/integrations/azure/defense_evasion_network_watcher_deletion.toml - rules/integrations/azure/defense_evasion_suppression_rule_created.toml - rules/integrations/azure/discovery_blob_container_access_mod.toml - rules/integrations/azure/execution_command_virtual_machine.toml - rules/integrations/azure/impact_azure_service_principal_credentials_added.toml - rules/integrations/azure/impact_kubernetes_pod_deleted.toml - rules/integrations/azure/impact_resource_group_deletion.toml - rules/integrations/azure/impact_virtual_network_device_modified.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml - rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml - rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml - rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml - rules/integrations/azure/initial_access_external_guest_user_invite.toml - rules/integrations/azure/persistence_azure_automation_account_created.toml - rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml - rules/integrations/azure/persistence_azure_automation_webhook_created.toml - rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml - rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml - rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml - rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml - rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml - rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml - rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml - rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml - rules/integrations/endpoint/elastic_endpoint_security.toml - rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml - rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml - rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml - rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml - rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml - rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml - rules/integrations/gcp/impact_gcp_iam_role_deletion.toml - rules/integrations/gcp/impact_gcp_service_account_deleted.toml - rules/integrations/gcp/impact_gcp_service_account_disabled.toml - rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml - rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml - rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml - rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml - rules/integrations/gcp/persistence_gcp_service_account_created.toml - rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml - rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml - rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml - rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml - rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml - rules/integrations/kubernetes/execution_user_exec_to_pod.toml - rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml - rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml - rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml - rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml - rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml - rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml - rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml - rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml - rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml - rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml - rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml - rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml - rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml - rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml - rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml - rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml - rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml - rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml - rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml - rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml - rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml - rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml - rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml - rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml - rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml - rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml - rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml - rules/integrations/okta/credential_access_mfa_push_brute_force.toml - rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml - rules/integrations/okta/credential_access_user_impersonation_access.toml - rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml - rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml - rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml - rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml - rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml - rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml - rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml - rules/integrations/okta/impact_possible_okta_dos_attack.toml - rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml - rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml - rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml - rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml - rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml - rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml - rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml - rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml - rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml - rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml - rules/linux/command_and_control_linux_iodine_activity.toml - rules/linux/command_and_control_tunneling_via_earthworm.toml - rules/linux/credential_access_collection_sensitive_files.toml - rules/linux/credential_access_ssh_backdoor_log.toml - rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml - rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml - rules/linux/defense_evasion_chattr_immutable_file.toml - rules/linux/defense_evasion_disable_selinux_attempt.toml - rules/linux/defense_evasion_file_deletion_via_shred.toml - rules/linux/defense_evasion_file_mod_writable_dir.toml - rules/linux/defense_evasion_hidden_file_dir_tmp.toml - rules/linux/defense_evasion_hidden_shared_object.toml - rules/linux/defense_evasion_kernel_module_removal.toml - rules/linux/defense_evasion_log_files_deleted.toml - rules/linux/discovery_kernel_module_enumeration.toml - rules/linux/discovery_linux_hping_activity.toml - rules/linux/discovery_linux_nping_activity.toml - rules/linux/discovery_virtual_machine_fingerprinting.toml - rules/linux/execution_abnormal_process_id_file_created.toml - rules/linux/execution_linux_netcat_network_connection.toml - rules/linux/execution_perl_tty_shell.toml - rules/linux/execution_process_started_from_process_id_file.toml - rules/linux/execution_process_started_in_shared_memory_directory.toml - rules/linux/execution_python_tty_shell.toml - rules/linux/execution_shell_evasion_linux_binary.toml - rules/linux/execution_tc_bpf_filter.toml - rules/linux/impact_process_kill_threshold.toml - rules/linux/lateral_movement_telnet_network_activity_external.toml - rules/linux/lateral_movement_telnet_network_activity_internal.toml - rules/linux/persistence_chkconfig_service_add.toml - rules/linux/persistence_credential_access_modify_ssh_binaries.toml - rules/linux/persistence_dynamic_linker_backup.toml - rules/linux/persistence_etc_file_creation.toml - rules/linux/persistence_insmod_kernel_module_load.toml - rules/linux/persistence_kde_autostart_modification.toml - rules/linux/persistence_shell_activity_by_web_server.toml - rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml - rules/linux/privilege_escalation_pkexec_envar_hijack.toml - rules/macos/credential_access_access_to_browser_credentials_procargs.toml - rules/macos/credential_access_credentials_keychains.toml - rules/macos/credential_access_dumping_hashes_bi_cmds.toml - rules/macos/credential_access_dumping_keychain_security.toml - rules/macos/credential_access_kerberosdump_kcc.toml - rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml - rules/macos/credential_access_mitm_localhost_webproxy.toml - rules/macos/credential_access_potential_ssh_bruteforce.toml - rules/macos/credential_access_promt_for_pwd_via_osascript.toml - rules/macos/credential_access_systemkey_dumping.toml - rules/macos/defense_evasion_apple_softupdates_modification.toml - rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml - rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml - rules/macos/defense_evasion_install_root_certificate.toml - rules/macos/defense_evasion_modify_environment_launchctl.toml - rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml - rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml - rules/macos/defense_evasion_safari_config_change.toml - rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml - rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml - rules/macos/defense_evasion_unload_endpointsecurity_kext.toml - rules/macos/discovery_users_domain_built_in_commands.toml - rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml - rules/macos/execution_initial_access_suspicious_browser_childproc.toml - rules/macos/execution_installer_package_spawned_network_event.toml - rules/macos/execution_script_via_automator_workflows.toml - rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml - rules/macos/execution_shell_execution_via_apple_scripting.toml - rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml - rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml - rules/macos/lateral_movement_mounting_smb_share.toml - rules/macos/lateral_movement_remote_ssh_login_enabled.toml - rules/macos/lateral_movement_vpn_connection_attempt.toml - rules/macos/persistence_account_creation_hide_at_logon.toml - rules/macos/persistence_creation_change_launch_agents_file.toml - rules/macos/persistence_creation_hidden_login_item_osascript.toml - rules/macos/persistence_creation_modif_launch_deamon_sequence.toml - rules/macos/persistence_credential_access_authorization_plugin_creation.toml - rules/macos/persistence_crontab_creation.toml - rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml - rules/macos/persistence_directory_services_plugins_modification.toml - rules/macos/persistence_docker_shortcuts_plist_modification.toml - rules/macos/persistence_emond_rules_file_creation.toml - rules/macos/persistence_emond_rules_process_execution.toml - rules/macos/persistence_enable_root_account.toml - rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml - rules/macos/persistence_finder_sync_plugin_pluginkit.toml - rules/macos/persistence_folder_action_scripts_runtime.toml - rules/macos/persistence_login_logout_hooks_defaults.toml - rules/macos/persistence_loginwindow_plist_modification.toml - rules/macos/persistence_modification_sublime_app_plugin_or_script.toml - rules/macos/persistence_periodic_tasks_file_mdofiy.toml - rules/macos/persistence_screensaver_engine_unexpected_child_process.toml - rules/macos/persistence_screensaver_plist_file_modification.toml - rules/macos/persistence_suspicious_calendar_modification.toml - rules/macos/persistence_via_atom_init_file_modification.toml - rules/macos/privilege_escalation_applescript_with_admin_privs.toml - rules/macos/privilege_escalation_explicit_creds_via_scripting.toml - rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml - rules/macos/privilege_escalation_local_user_added_to_admin.toml - rules/macos/privilege_escalation_root_crontab_filemod.toml - rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml - rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml - rules/ml/command_and_control_ml_packetbeat_rare_urls.toml - rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml - rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events.toml - rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml - rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml - rules/ml/credential_access_ml_suspicious_login_activity.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml - rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml - rules/ml/discovery_ml_linux_system_information_discovery.toml - rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml - rules/ml/discovery_ml_linux_system_network_connection_discovery.toml - rules/ml/discovery_ml_linux_system_process_discovery.toml - rules/ml/discovery_ml_linux_system_user_discovery.toml - rules/ml/execution_ml_windows_anomalous_script.toml - rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml - rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml - rules/ml/initial_access_ml_auth_rare_user_logon.toml - rules/ml/initial_access_ml_linux_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_anomalous_user_name.toml - rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml - rules/ml/ml_high_count_network_denies.toml - rules/ml/ml_high_count_network_events.toml - rules/ml/ml_linux_anomalous_network_activity.toml - rules/ml/ml_linux_anomalous_network_port_activity.toml - rules/ml/ml_packetbeat_rare_server_domain.toml - rules/ml/ml_rare_destination_country.toml - rules/ml/ml_spike_in_traffic_to_a_country.toml - rules/ml/ml_windows_anomalous_network_activity.toml - rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_rare_process_by_host_linux.toml - rules/ml/persistence_ml_rare_process_by_host_windows.toml - rules/ml/persistence_ml_windows_anomalous_path_activity.toml - rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml - rules/ml/persistence_ml_windows_anomalous_process_creation.toml - rules/ml/persistence_ml_windows_anomalous_service.toml - rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml - rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml - rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml - rules/network/command_and_control_cobalt_strike_beacon.toml - rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml - rules/network/command_and_control_download_rar_powershell_from_internet.toml - rules/network/command_and_control_fin7_c2_behavior.toml - rules/network/command_and_control_halfbaked_beacon.toml - rules/network/command_and_control_nat_traversal_port_activity.toml - rules/network/command_and_control_port_26_activity.toml - rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml - rules/network/command_and_control_telnet_port_activity.toml - rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml - rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml - rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml - rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml - rules/network/initial_access_unsecure_elasticsearch_node.toml - rules/promotions/credential_access_endgame_cred_dumping_detected.toml - rules/promotions/credential_access_endgame_cred_dumping_prevented.toml - rules/promotions/endgame_adversary_behavior_detected.toml - rules/promotions/endgame_malware_detected.toml - rules/promotions/endgame_malware_prevented.toml - rules/promotions/endgame_ransomware_detected.toml - rules/promotions/endgame_ransomware_prevented.toml - rules/promotions/execution_endgame_exploit_detected.toml - rules/promotions/execution_endgame_exploit_prevented.toml - rules/promotions/external_alerts.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml - rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml - rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml - rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml - rules/promotions/privilege_escalation_endgame_process_injection_detected.toml - rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml - rules/windows/collection_email_powershell_exchange_mailbox.toml - rules/windows/collection_posh_audio_capture.toml - rules/windows/collection_posh_keylogger.toml - rules/windows/collection_posh_screen_grabber.toml - rules/windows/collection_winrar_encryption.toml - rules/windows/command_and_control_certutil_network_connection.toml - rules/windows/command_and_control_common_webservices.toml - rules/windows/command_and_control_dns_tunneling_nslookup.toml - rules/windows/command_and_control_encrypted_channel_freesslcert.toml - rules/windows/command_and_control_iexplore_via_com.toml - rules/windows/command_and_control_port_forwarding_added_registry.toml - rules/windows/command_and_control_rdp_tunnel_plink.toml - rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml - rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml - rules/windows/command_and_control_remote_file_copy_powershell.toml - rules/windows/command_and_control_remote_file_copy_scripts.toml - rules/windows/command_and_control_sunburst_c2_activity_detected.toml - rules/windows/command_and_control_teamviewer_remote_file_copy.toml - rules/windows/credential_access_cmdline_dump_tool.toml - rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml - rules/windows/credential_access_credential_dumping_msbuild.toml - rules/windows/credential_access_dcsync_replication_rights.toml - rules/windows/credential_access_disable_kerberos_preauth.toml - rules/windows/credential_access_domain_backup_dpapi_private_keys.toml - rules/windows/credential_access_dump_registry_hives.toml - rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml - rules/windows/credential_access_iis_connectionstrings_dumping.toml - rules/windows/credential_access_kerberoasting_unusual_process.toml - rules/windows/credential_access_lsass_handle_via_malseclogon.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/credential_access_lsass_memdump_handle_access.toml - rules/windows/credential_access_mimikatz_memssp_default_logs.toml - rules/windows/credential_access_mimikatz_powershell_module.toml - rules/windows/credential_access_mod_wdigest_security_provider.toml - rules/windows/credential_access_moving_registry_hive_via_smb.toml - rules/windows/credential_access_persistence_network_logon_provider_modification.toml - rules/windows/credential_access_posh_minidump.toml - rules/windows/credential_access_posh_request_ticket.toml - rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml - rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml - rules/windows/credential_access_remote_sam_secretsdump.toml - rules/windows/credential_access_saved_creds_vaultcmd.toml - rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml - rules/windows/credential_access_shadow_credentials.toml - rules/windows/credential_access_spn_attribute_modified.toml - rules/windows/credential_access_suspicious_comsvcs_imageload.toml - rules/windows/credential_access_suspicious_lsass_access_memdump.toml - rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml - rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml - rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml - rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_amsienable_key_mod.toml - rules/windows/defense_evasion_clearing_windows_console_history.toml - rules/windows/defense_evasion_clearing_windows_event_logs.toml - rules/windows/defense_evasion_clearing_windows_security_logs.toml - rules/windows/defense_evasion_create_mod_root_certificate.toml - rules/windows/defense_evasion_cve_2020_0601.toml - rules/windows/defense_evasion_defender_disabled_via_registry.toml - rules/windows/defense_evasion_defender_exclusion_via_powershell.toml - rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml - rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml - rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml - rules/windows/defense_evasion_disabling_windows_defender_powershell.toml - rules/windows/defense_evasion_disabling_windows_logs.toml - rules/windows/defense_evasion_dns_over_https_enabled.toml - rules/windows/defense_evasion_dotnet_compiler_parent_process.toml - rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml - rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml - rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - rules/windows/defense_evasion_execution_msbuild_started_by_script.toml - rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml - rules/windows/defense_evasion_execution_msbuild_started_renamed.toml - rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml - rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml - rules/windows/defense_evasion_execution_windefend_unusual_path.toml - rules/windows/defense_evasion_file_creation_mult_extension.toml - rules/windows/defense_evasion_from_unusual_directory.toml - rules/windows/defense_evasion_hide_encoded_executable_registry.toml - rules/windows/defense_evasion_iis_httplogging_disabled.toml - rules/windows/defense_evasion_injection_msbuild.toml - rules/windows/defense_evasion_installutil_beacon.toml - rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml - rules/windows/defense_evasion_masquerading_renamed_autoit.toml - rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml - rules/windows/defense_evasion_masquerading_trusted_directory.toml - rules/windows/defense_evasion_masquerading_werfault.toml - rules/windows/defense_evasion_microsoft_defender_tampering.toml - rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml - rules/windows/defense_evasion_ms_office_suspicious_regmod.toml - rules/windows/defense_evasion_msbuild_making_network_connections.toml - rules/windows/defense_evasion_mshta_beacon.toml - rules/windows/defense_evasion_msxsl_network.toml - rules/windows/defense_evasion_network_connection_from_windows_binary.toml - rules/windows/defense_evasion_parent_process_pid_spoofing.toml - rules/windows/defense_evasion_posh_assembly_load.toml - rules/windows/defense_evasion_posh_compressed.toml - rules/windows/defense_evasion_posh_process_injection.toml - rules/windows/defense_evasion_potential_processherpaderping.toml - rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml - rules/windows/defense_evasion_process_termination_followed_by_deletion.toml - rules/windows/defense_evasion_proxy_execution_via_msdt.toml - rules/windows/defense_evasion_rundll32_no_arguments.toml - rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml - rules/windows/defense_evasion_sdelete_like_filename_rename.toml - rules/windows/defense_evasion_sip_provider_mod.toml - rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml - rules/windows/defense_evasion_suspicious_managedcode_host_process.toml - rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml - rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml - rules/windows/defense_evasion_suspicious_scrobj_load.toml - rules/windows/defense_evasion_suspicious_short_program_name.toml - rules/windows/defense_evasion_suspicious_wmi_script.toml - rules/windows/defense_evasion_suspicious_zoom_child_process.toml - rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml - rules/windows/defense_evasion_unusual_ads_file_creation.toml - rules/windows/defense_evasion_unusual_dir_ads.toml - rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml - rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml - rules/windows/defense_evasion_unusual_process_network_connection.toml - rules/windows/defense_evasion_unusual_system_vp_child_program.toml - rules/windows/defense_evasion_via_filter_manager.toml - rules/windows/defense_evasion_workfolders_control_execution.toml - rules/windows/discovery_adfind_command_activity.toml - rules/windows/discovery_admin_recon.toml - rules/windows/discovery_command_system_account.toml - rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml - rules/windows/discovery_net_view.toml - rules/windows/discovery_peripheral_device.toml - rules/windows/discovery_posh_suspicious_api_functions.toml - rules/windows/discovery_post_exploitation_external_ip_lookup.toml - rules/windows/discovery_privileged_localgroup_membership.toml - rules/windows/discovery_remote_system_discovery_commands_windows.toml - rules/windows/discovery_security_software_wmic.toml - rules/windows/discovery_whoami_command_activity.toml - rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml - rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml - rules/windows/execution_com_object_xwizard.toml - rules/windows/execution_command_prompt_connecting_to_the_internet.toml - rules/windows/execution_command_shell_started_by_svchost.toml - rules/windows/execution_command_shell_started_by_unusual_process.toml - rules/windows/execution_command_shell_via_rundll32.toml - rules/windows/execution_enumeration_via_wmiprvse.toml - rules/windows/execution_from_unusual_path_cmdline.toml - rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml - rules/windows/execution_ms_office_written_file.toml - rules/windows/execution_pdf_written_file.toml - rules/windows/execution_posh_portable_executable.toml - rules/windows/execution_posh_psreflect.toml - rules/windows/execution_psexec_lateral_movement_command.toml - rules/windows/execution_register_server_program_connecting_to_the_internet.toml - rules/windows/execution_scheduled_task_powershell_source.toml - rules/windows/execution_shared_modules_local_sxs_dll.toml - rules/windows/execution_suspicious_cmd_wmi.toml - rules/windows/execution_suspicious_image_load_wmi_ms_office.toml - rules/windows/execution_suspicious_pdf_reader.toml - rules/windows/execution_suspicious_powershell_imgload.toml - rules/windows/execution_suspicious_psexesvc.toml - rules/windows/execution_via_compiled_html_file.toml - rules/windows/execution_via_hidden_shell_conhost.toml - rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml - rules/windows/impact_backup_file_deletion.toml - rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml - rules/windows/impact_modification_of_boot_config.toml - rules/windows/impact_stop_process_service_threshold.toml - rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml - rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml - rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml - rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml - rules/windows/initial_access_script_executing_powershell.toml - rules/windows/initial_access_scripts_process_started_via_wmi.toml - rules/windows/initial_access_suspicious_ms_exchange_files.toml - rules/windows/initial_access_suspicious_ms_exchange_process.toml - rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml - rules/windows/initial_access_suspicious_ms_office_child_process.toml - rules/windows/initial_access_suspicious_ms_outlook_child_process.toml - rules/windows/initial_access_unusual_dns_service_children.toml - rules/windows/initial_access_unusual_dns_service_file_writes.toml - rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml - rules/windows/lateral_movement_cmd_service.toml - rules/windows/lateral_movement_dcom_hta.toml - rules/windows/lateral_movement_dcom_mmc20.toml - rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml - rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml - rules/windows/lateral_movement_direct_outbound_smb_connection.toml - rules/windows/lateral_movement_dns_server_overflow.toml - rules/windows/lateral_movement_evasion_rdp_shadowing.toml - rules/windows/lateral_movement_executable_tool_transfer_smb.toml - rules/windows/lateral_movement_execution_from_tsclient_mup.toml - rules/windows/lateral_movement_execution_via_file_shares_sequence.toml - rules/windows/lateral_movement_incoming_winrm_shell_execution.toml - rules/windows/lateral_movement_incoming_wmi.toml - rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml - rules/windows/lateral_movement_powershell_remoting_target.toml - rules/windows/lateral_movement_rdp_enabled_registry.toml - rules/windows/lateral_movement_rdp_sharprdp_target.toml - rules/windows/lateral_movement_remote_file_copy_hidden_share.toml - rules/windows/lateral_movement_remote_services.toml - rules/windows/lateral_movement_scheduled_task_target.toml - rules/windows/lateral_movement_service_control_spawned_script_int.toml - rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml - rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml - rules/windows/persistence_ad_adminsdholder.toml - rules/windows/persistence_adobe_hijack_persistence.toml - rules/windows/persistence_app_compat_shim.toml - rules/windows/persistence_appcertdlls_registry.toml - rules/windows/persistence_appinitdlls_registry.toml - rules/windows/persistence_dontexpirepasswd_account.toml - rules/windows/persistence_evasion_hidden_local_account_creation.toml - rules/windows/persistence_evasion_registry_ifeo_injection.toml - rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml - rules/windows/persistence_gpo_schtask_service_creation.toml - rules/windows/persistence_local_scheduled_job_creation.toml - rules/windows/persistence_local_scheduled_task_creation.toml - rules/windows/persistence_local_scheduled_task_scripting.toml - rules/windows/persistence_ms_office_addins_file.toml - rules/windows/persistence_ms_outlook_vba_template.toml - rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml - rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml - rules/windows/persistence_priv_escalation_via_accessibility_features.toml - rules/windows/persistence_registry_uncommon.toml - rules/windows/persistence_remote_password_reset.toml - rules/windows/persistence_run_key_and_startup_broad.toml - rules/windows/persistence_runtime_run_key_startup_susp_procs.toml - rules/windows/persistence_sdprop_exclusion_dsheuristics.toml - rules/windows/persistence_services_registry.toml - rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml - rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml - rules/windows/persistence_startup_folder_scripts.toml - rules/windows/persistence_suspicious_com_hijack_registry.toml - rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml - rules/windows/persistence_suspicious_scheduled_task_runtime.toml - rules/windows/persistence_suspicious_service_created_registry.toml - rules/windows/persistence_system_shells_via_services.toml - rules/windows/persistence_time_provider_mod.toml - rules/windows/persistence_user_account_added_to_privileged_group_ad.toml - rules/windows/persistence_user_account_creation.toml - rules/windows/persistence_via_application_shimming.toml - rules/windows/persistence_via_bits_job_notify_command.toml - rules/windows/persistence_via_hidden_run_key_valuename.toml - rules/windows/persistence_via_lsa_security_support_provider_registry.toml - rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml - rules/windows/persistence_via_update_orchestrator_service_hijack.toml - rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml - rules/windows/persistence_via_wmi_stdregprov_run_services.toml - rules/windows/persistence_webshell_detection.toml - rules/windows/privilege_escalation_disable_uac_registry.toml - rules/windows/privilege_escalation_group_policy_iniscript.toml - rules/windows/privilege_escalation_group_policy_privileged_groups.toml - rules/windows/privilege_escalation_group_policy_scheduled_task.toml - rules/windows/privilege_escalation_installertakeover.toml - rules/windows/privilege_escalation_krbrelayup_service_creation.toml - rules/windows/privilege_escalation_lsa_auth_package.toml - rules/windows/privilege_escalation_named_pipe_impersonation.toml - rules/windows/privilege_escalation_persistence_phantom_dll.toml - rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml - rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml - rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml - rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml - rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml - rules/windows/privilege_escalation_rogue_windir_environment_var.toml - rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml - rules/windows/privilege_escalation_suspicious_dnshostname_update.toml - rules/windows/privilege_escalation_uac_bypass_com_clipup.toml - rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml - rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml - rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml - rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml - rules/windows/privilege_escalation_uac_bypass_event_viewer.toml - rules/windows/privilege_escalation_uac_bypass_mock_windir.toml - rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml - rules/windows/privilege_escalation_unusual_parentchild_relationship.toml - rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml - rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml - rules/windows/privilege_escalation_via_rogue_named_pipe.toml - rules/windows/privilege_escalation_windows_service_via_unusual_client.toml (selectively cherry picked from commit `46d5e37b76`)	2022-08-24 16:39:50 +00:00
TotalKnob	3042be0824	[Rule Tuning] Clearing Windows Event Logs (#2233 ) Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `023fbc7bbd`)	2022-08-24 00:42:32 +00:00
Jonhnathan	ad880bb7df	[Rule Tuning] Standardizing Risk Score according to Severity (#2242 ) (cherry picked from commit `6e2d20362a`)	2022-08-22 01:30:44 +00:00
Samirbous	353fde10a0	[Deprecate Rule] Suspicious Process from Conhost (#2222 ) only FPs with no way to tune other than opening the rule for easy evasion by excluding by process.executable/args). Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `d3420e3386`)	2022-08-16 14:33:36 +00:00
Samirbous	73834a3b08	[Rule Tuning] Whoami Process Activity (#2224 ) * added Whoami Process Activity * Update discovery_whoami_command_activity.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `8e0ae64a04`)	2022-08-16 14:27:06 +00:00
Samirbous	0a6f9c6ddf	[Rule Tuning] Suspicious Execution via Scheduled Task (#2235 ) Excluding`?:\\ProgramData` and few other noisy FP pattern by process.args + name to reduce users alert fatigue. (cherry picked from commit `0f7b29918c`)	2022-08-15 19:51:18 +00:00
Samirbous	96fd9f86a2	[Rule Tuning] Reduce FPs (#2223 ) 9 rules tuned to exclude common noisy FP patterns. Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Removed changes from: - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit `b89d6185b2`)	2022-08-15 14:16:46 +00:00
Jonhnathan	9dabc6fc79	[Security Content] 8.4 - Add Investigation Guides - Windows - 2 (#2144 ) * [Security Content] 8.4 - Add Investigation Guides - Windows - 2 * update date * Apply suggestions from review * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit `fc7a384d19`)	2022-08-09 00:35:02 +00:00
TotalKnob	c585aed3e2	Remove ambiguity from impact_modification_of_boot_config.toml (#2199 ) Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `b043695833`)	2022-08-05 13:39:39 +00:00
Samirbous	979ca1dfab	[Rules Tuning] Add support for Sysmon ImageLoad Events (#2215 ) * [Rules Tuning] Add support for Sysmon ImageLoad Events added correct event.category and event.action to rules using library events to support sysmon eventid 7. `event.category == "library"` --> `(event.category == "process" and event.action : "Image loaded")` `dll.name` --> `file.name` added Suspicious RDP ActiveX Client Loaded * Delete workspace.xml (cherry picked from commit `50bb821708`)	2022-08-02 16:41:40 +00:00
Samirbous	ad1e7fbde9	[Rules Tuning] Diverse Windows Rules - FPs reduction (#2213 ) * [Rules Tuning] 7 diverse Windows rules Excluding FP patterns while avoiding breaking compat with winlogbeat and 4688 events lack of codesign metadata. * Update initial_access_suspicious_ms_exchange_process.toml * Update privilege_escalation_persistence_phantom_dll.toml * Update execution_psexec_lateral_movement_command.toml * Update persistence_remote_password_reset.toml * Update non-ecs-schema.json * Update persistence_remote_password_reset.toml * Update non-ecs-schema.json * Update discovery_privileged_localgroup_membership.toml Removed changes from: - rules/windows/credential_access_lsass_memdump_file_created.toml (selectively cherry picked from commit `b15f0de9a4`)	2022-08-02 16:38:59 +00:00
Samirbous	7585d6264d	[Deprecate rule] Whitespace Padding in Process Command Line (#2218 ) very noisy and will require frequent tuning with very low TP rate. (cherry picked from commit `a046dc0d29`)	2022-08-02 16:32:01 +00:00
Samirbous	08f2e9003f	[Deprecate Rule] File and Directory Discovery (#2217 ) * [Deprecate Rule] File and Directory Discovery very noisy and most if not all are FPs, few rooms for tuning without rendering the rule easy to bypass. * Delete workspace.xml (cherry picked from commit `e5ee8e024f`)	2022-08-02 15:58:37 +00:00
Samirbous	8126bde72c	[Rule Tuning] Suspicious Process Creation CallTrace (#2207 ) Excluding some FPs by process.parent.executable and process.parent.args. (cherry picked from commit `04dcf09c03`)	2022-08-01 17:01:08 +00:00
Samirbous	777584bbc2	[Rule Tuning] Unusual Service Host Child Process - Childless Service (#2208 ) Excluding some noisy unique processes. (cherry picked from commit `1f21c5c57f`)	2022-08-01 16:41:46 +00:00
Samirbous	2fe7336f2b	[Deprecated Rule] Potential Privilege Escalation via Local Kerberos R… (#2209 ) * [Deprecated Rule] Potential Privilege Escalation via Local Kerberos Relay over LDAP FPs in certain cases with no room for tuning. * Update privilege_escalation_krbrelayup_suspicious_logon.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `8d34416049`)	2022-08-01 16:29:46 +00:00
Samirbous	84121d910e	[Rule Tuning] Suspicious Process Access via Direct System Call (#2204 ) Excluding some FPs by calltrace. (cherry picked from commit `a22fef8723`)	2022-08-01 16:17:07 +00:00
Samirbous	ccad691b30	[Rule Tuning] Remotely Started Services via RPC (#2211 ) * [Rule Tuning] Remotely Started Services via RPC excluding noisy FPs by process.executable to be compatible with winlog and endpoint * Update lateral_movement_remote_services.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `6f69695820`)	2022-08-01 16:12:14 +00:00
Samirbous	38e9b64fd6	[Rule Tuning] Process Termination followed by Deletion (#2206 ) Excluded some FPs by process.executable and file.path. (cherry picked from commit `91896db453`)	2022-08-01 16:02:39 +00:00
Samirbous	475d67f1e8	[Rule Tuning] Potential Remote Credential Access via Registry (#2203 ) * [Rule Tuning] Potential Remote Credential Access via Registry Excluding some noisy FPs by file.path (user and machine hives std paths) and event.action (scoped to logged-in) * Update credential_access_remote_sam_secretsdump.toml (cherry picked from commit `049fbf7979`)	2022-08-01 15:50:38 +00:00
Samirbous	0dfae46dcc	[Rule Tuning] Kerberos Traffic from Unusual Process (#2202 ) Excluding couple of FPs by process.executables to reduce FPs rate. (cherry picked from commit `527507835f`)	2022-07-29 20:28:55 +00:00
Isai	5b183e66fa	[Rule Tuning] Persistence via Update Orchestrator Service Hijack (#2195 ) * [Rule Tuning] Persistence via Update Orchestrator Service Hijack I changed the query to exclude FPs for safe executables found in telemetry: MoUsoCoreWorker.exe and OfficeC2RClient.exe. Changed the query type to KQL to account for the wildcard needed to capture 2 of the executable paths found in telemetry. I'm open to changing back to eql with suggestions. * Update persistence_via_update_orchestrator_service_hijack.toml revert back to eql Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `386a8202c0`)	2022-07-29 20:12:27 +00:00
Samirbous	044b5a2c61	[Rule Tuning] Modification of WDigest Security Provider (#2201 ) excluding svchost.exe running as system (main src of FPs for this use case). (cherry picked from commit `6d61a68c29`)	2022-07-29 17:46:25 +00:00
Terrance DeJesus	61d671a1a6	[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) * initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>	2022-07-22 15:42:38 -04:00
Terrance DeJesus	141b00ec41	[Rule Tuning] Missing MITRE ATT&CK Mappings (#2073 ) * initial commit with eggshell mitre mapping added * adding updated rules * [Rule Tuning] MITRE for GCP rules I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic. * [Rule Tuning] Endgame Rule name updates for Mitre Updated Endgame rule names for those with Mitre tactics to match the tactics. * Update rules/integrations/aws/persistence_redshift_instance_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * adding 10 updated rules for google_workspace, ml and o365 * adding 22 rule updates for mitre att&ck mappings * adding 24 rule updates related mainly to ML rules * adding 3 rules related to detection via ML * adding adjustments * adding adjustments with solutions to recent pytest errors * removed tabs from tags * adjusted mappings and added techniques * adjusted endgame rule mappings per review * adjusted names to match different tactics * added execution and defense evasion tag * adjustments to address errors from merging with main * added newlines to rules missing them at the end of the file Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Removed changes from: - rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/google_workspace_policy_modified.toml - rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml - rules/ml/ml_linux_anomalous_compiler_activity.toml - rules/ml/ml_linux_anomalous_metadata_process.toml - rules/ml/ml_linux_anomalous_metadata_user.toml - rules/ml/ml_linux_anomalous_process_all_hosts.toml - rules/ml/ml_linux_anomalous_sudo_activity.toml - rules/ml/ml_linux_anomalous_user_name.toml - rules/ml/ml_linux_system_information_discovery.toml - rules/ml/ml_linux_system_network_configuration_discovery.toml - rules/ml/ml_linux_system_network_connection_discovery.toml - rules/ml/ml_linux_system_process_discovery.toml - rules/ml/ml_linux_system_user_discovery.toml - rules/ml/ml_rare_process_by_host_linux.toml - rules/ml/ml_rare_process_by_host_windows.toml - rules/ml/ml_suspicious_login_activity.toml - rules/ml/ml_windows_anomalous_metadata_process.toml - rules/ml/ml_windows_anomalous_metadata_user.toml - rules/ml/ml_windows_anomalous_path_activity.toml - rules/ml/ml_windows_anomalous_process_all_hosts.toml - rules/ml/ml_windows_anomalous_process_creation.toml - rules/ml/ml_windows_anomalous_script.toml - rules/ml/ml_windows_anomalous_service.toml - rules/ml/ml_windows_anomalous_user_name.toml - rules/ml/ml_windows_rare_user_runas_event.toml - rules/ml/ml_windows_rare_user_type10_remote_login.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml (selectively cherry picked from commit `e8c39d19a7`)	2022-07-22 18:31:42 +00:00
Samirbous	25493a90c9	[New Rule] Suspicious HTML File Creation (#2068 ) * [New Rule] Suspicious HTML File Creation * Update initial_access_evasion_suspicious_htm_file_creation.toml * Update non-ecs-schema.json * Update initial_access_evasion_suspicious_htm_file_creation.toml * Update rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `d312f49117`)	2022-07-22 14:22:56 +00:00
Jonhnathan	edef90b3ec	[Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104 ) * [Security Content] Add Investigation Guides to Cloud Rules - AWS * Apply suggestion from review * Update rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Update rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * Apply suggestions from review * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * . * Applies suggestions from the https://github.com/elastic/detection-rules/pull/2124 PR Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> (cherry picked from commit `d854b943e5`)	2022-07-20 15:30:04 +00:00
Samirbous	900a8cdbe9	[New Rule] Suspicious LSASS Access via MalSecLogon (#2063 ) * [New Rule] Identifies suspicious access to LSASS handle from a call trace pointing to seclogon.dll and with a suspicious access rights value, this may indicate an attempt to leak an Lsass handle via abusing the Secondary Logon service in preparation for credential access. https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html Data: ``` { "_index": ".ds-logs-windows.sysmon_operational-default-2022.06.16-000005", "_id": "QxU4rIEBTJjT82fLq8Cf", "_score": 1, "_source": { "agent": { "name": "02694w-win10", "id": "85e87161-ea22-4847-a978-fb4ed45ebf0e", "type": "filebeat", "ephemeral_id": "137d194a-e542-4cd6-a1e3-f4ca9f5ad6b8", "version": "8.0.0" }, "process": { "name": "svchost.exe", "pid": 456, "thread": { "id": 15264 }, "entity_id": "{6a3c3ef2-3646-62ab-1300-00000000d300}", "executable": "C:\\WINDOWS\\system32\\svchost.exe" }, "winlog": { "computer_name": "02694w-win10.threebeesco.com", "process": { "pid": 2680, "thread": { "id": 3988 } }, "channel": "Microsoft-Windows-Sysmon/Operational", "event_data": { "GrantedAccess": "0x14c0", "TargetProcessId": "680", "SourceUser": "NT AUTHORITY\\SYSTEM", "TargetImage": "C:\\WINDOWS\\system32\\lsass.exe", "CallTrace": "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534\|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e\|c:\\windows\\system32\\seclogon.dll+128f\|c:\\windows\\system32\\seclogon.dll+10a0\|C:\\WINDOWS\\System32\\RPCRT4.dll+76953\|C:\\WINDOWS\\System32\\RPCRT4.dll+da036\|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c\|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db\|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f\|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a\|C:\\WINDOWS\\System32\\RPCRT4.dll+19301\|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e\|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142\|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51", "TargetProcessGUID": "{6a3c3ef2-3646-62ab-0c00-00000000d300}", "TargetUser": "NT AUTHORITY\\SYSTEM" }, "opcode": "Info", "version": 3, "record_id": "1825496", "task": "Process accessed (rule: ProcessAccess)", "event_id": "10", "provider_guid": "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}", "api": "wineventlog", "provider_name": "Microsoft-Windows-Sysmon", "user": { "identifier": "S-1-5-18", "domain": "NT AUTHORITY", "name": "SYSTEM", "type": "User" } }, "log": { "level": "information" }, "elastic_agent": { "id": "85e87161-ea22-4847-a978-fb4ed45ebf0e", "version": "8.0.0", "snapshot": false }, "message": "Process accessed:\nRuleName: -\nUtcTime: 2022-06-28 21:29:49.829\nSourceProcessGUID: {6a3c3ef2-3646-62ab-1300-00000000d300}\nSourceProcessId: 456\nSourceThreadId: 15264\nSourceImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetProcessGUID: {6a3c3ef2-3646-62ab-0c00-00000000d300}\nTargetProcessId: 680\nTargetImage: C:\\WINDOWS\\system32\\lsass.exe\nGrantedAccess: 0x14C0\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534\|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e\|c:\\windows\\system32\\seclogon.dll+128f\|c:\\windows\\system32\\seclogon.dll+10a0\|C:\\WINDOWS\\System32\\RPCRT4.dll+76953\|C:\\WINDOWS\\System32\\RPCRT4.dll+da036\|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c\|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db\|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f\|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a\|C:\\WINDOWS\\System32\\RPCRT4.dll+19301\|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e\|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142\|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51\nSourceUser: NT AUTHORITY\\SYSTEM\nTargetUser: NT AUTHORITY\\SYSTEM", "input": { "type": "winlog" }, "@timestamp": "2022-06-28T21:29:49.829Z", "ecs": { "version": "1.12.0" }, "data_stream": { "namespace": "default", "type": "logs", "dataset": "windows.sysmon_operational" }, "host": { "hostname": "02694w-win10", "os": { "build": "18363.815", "kernel": "10.0.18362.815 (WinBuild.160101.0800)", "name": "Windows 10 Enterprise", "type": "windows", "family": "windows", "version": "10.0", "platform": "windows" }, "ip": [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name": "02694w-win10.threebeesco.com", "id": "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac": [ "00:50:56:03:c6:93" ], "architecture": "x86_64" }, "event": { "agent_id_status": "verified", "ingested": "2022-06-28T21:30:04Z", "code": "10", "provider": "Microsoft-Windows-Sysmon", "created": "2022-06-28T21:29:51.107Z", "kind": "event", "action": "Process accessed (rule: ProcessAccess)", "category": [ "process" ], "type": [ "access" ], "dataset": "windows.sysmon_operational" }, "user": { "id": "S-1-5-18" } }, "fields": { "elastic_agent.version": [ "8.0.0" ], "event.category": [ "process" ], "host.os.name.text": [ "Windows 10 Enterprise" ], "winlog.provider_guid": [ "{5770385f-c22a-43e0-bf4c-06f5698ffbd9}" ], "winlog.provider_name": [ "Microsoft-Windows-Sysmon" ], "host.hostname": [ "02694w-win10" ], "winlog.computer_name": [ "02694w-win10.threebeesco.com" ], "process.pid": [ 456 ], "host.mac": [ "00:50:56:03:c6:93" ], "winlog.process.pid": [ 2680 ], "host.os.version": [ "10.0" ], "winlog.record_id": [ "1825496" ], "winlog.event_data.TargetUser": [ "NT AUTHORITY\\SYSTEM" ], "host.os.name": [ "Windows 10 Enterprise" ], "log.level": [ "information" ], "agent.name": [ "02694w-win10" ], "host.name": [ "02694w-win10.threebeesco.com" ], "event.agent_id_status": [ "verified" ], "event.kind": [ "event" ], "winlog.version": [ 3 ], "host.os.type": [ "windows" ], "user.id": [ "S-1-5-18" ], "input.type": [ "winlog" ], "data_stream.type": [ "logs" ], "host.architecture": [ "x86_64" ], "process.name": [ "svchost.exe" ], "event.provider": [ "Microsoft-Windows-Sysmon" ], "event.code": [ "10" ], "agent.id": [ "85e87161-ea22-4847-a978-fb4ed45ebf0e" ], "ecs.version": [ "1.12.0" ], "event.created": [ "2022-06-28T21:29:51.107Z" ], "winlog.event_data.CallTrace": [ "C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534\|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e\|c:\\windows\\system32\\seclogon.dll+128f\|c:\\windows\\system32\\seclogon.dll+10a0\|C:\\WINDOWS\\System32\\RPCRT4.dll+76953\|C:\\WINDOWS\\System32\\RPCRT4.dll+da036\|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c\|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db\|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f\|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a\|C:\\WINDOWS\\System32\\RPCRT4.dll+19301\|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e\|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142\|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51" ], "agent.version": [ "8.0.0" ], "host.os.family": [ "windows" ], "process.thread.id": [ 15264 ], "winlog.event_data.TargetProcessGUID": [ "{6a3c3ef2-3646-62ab-0c00-00000000d300}" ], "winlog.process.thread.id": [ 3988 ], "winlog.event_data.TargetImage": [ "C:\\WINDOWS\\system32\\lsass.exe" ], "winlog.event_data.TargetProcessId": [ "680" ], "process.entity_id": [ "{6a3c3ef2-3646-62ab-1300-00000000d300}" ], "host.os.build": [ "18363.815" ], "winlog.user.type": [ "User" ], "host.ip": [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "agent.type": [ "filebeat" ], "event.module": [ "windows" ], "host.os.kernel": [ "10.0.18362.815 (WinBuild.160101.0800)" ], "winlog.api": [ "wineventlog" ], "elastic_agent.snapshot": [ false ], "host.id": [ "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160" ], "process.executable": [ "C:\\WINDOWS\\system32\\svchost.exe" ], "winlog.user.identifier": [ "S-1-5-18" ], "winlog.event_data.SourceUser": [ "NT AUTHORITY\\SYSTEM" ], "winlog.task": [ "Process accessed (rule: ProcessAccess)" ], "winlog.user.domain": [ "NT AUTHORITY" ], "elastic_agent.id": [ "85e87161-ea22-4847-a978-fb4ed45ebf0e" ], "data_stream.namespace": [ "default" ], "winlog.event_data.GrantedAccess": [ "0x14c0" ], "message": [ "Process accessed:\nRuleName: -\nUtcTime: 2022-06-28 21:29:49.829\nSourceProcessGUID: {6a3c3ef2-3646-62ab-1300-00000000d300}\nSourceProcessId: 456\nSourceThreadId: 15264\nSourceImage: C:\\WINDOWS\\system32\\svchost.exe\nTargetProcessGUID: {6a3c3ef2-3646-62ab-0c00-00000000d300}\nTargetProcessId: 680\nTargetImage: C:\\WINDOWS\\system32\\lsass.exe\nGrantedAccess: 0x14C0\nCallTrace: C:\\WINDOWS\\SYSTEM32\\ntdll.dll+9c534\|C:\\WINDOWS\\System32\\KERNELBASE.dll+2726e\|c:\\windows\\system32\\seclogon.dll+128f\|c:\\windows\\system32\\seclogon.dll+10a0\|C:\\WINDOWS\\System32\\RPCRT4.dll+76953\|C:\\WINDOWS\\System32\\RPCRT4.dll+da036\|C:\\WINDOWS\\System32\\RPCRT4.dll+37a4c\|C:\\WINDOWS\\System32\\RPCRT4.dll+548c8\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c921\|C:\\WINDOWS\\System32\\RPCRT4.dll+2c1db\|C:\\WINDOWS\\System32\\RPCRT4.dll+1a86f\|C:\\WINDOWS\\System32\\RPCRT4.dll+19d1a\|C:\\WINDOWS\\System32\\RPCRT4.dll+19301\|C:\\WINDOWS\\System32\\RPCRT4.dll+18d6e\|C:\\WINDOWS\\System32\\RPCRT4.dll+169a5\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+333ed\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+34142\|C:\\WINDOWS\\System32\\KERNEL32.DLL+17bd4\|C:\\WINDOWS\\SYSTEM32\\ntdll.dll+6ce51\nSourceUser: NT AUTHORITY\\SYSTEM\nTargetUser: NT AUTHORITY\\SYSTEM" ], "winlog.user.name": [ "SYSTEM" ], "winlog.event_id": [ "10" ], "event.ingested": [ "2022-06-28T21:30:04.000Z" ], "event.action": [ "Process accessed (rule: ProcessAccess)" ], "@timestamp": [ "2022-06-28T21:29:49.829Z" ], "winlog.channel": [ "Microsoft-Windows-Sysmon/Operational" ], "host.os.platform": [ "windows" ], "data_stream.dataset": [ "windows.sysmon_operational" ], "event.type": [ "access" ], "winlog.opcode": [ "Info" ], "agent.ephemeral_id": [ "137d194a-e542-4cd6-a1e3-f4ca9f5ad6b8" ], "event.dataset": [ "windows.sysmon_operational" ] } } ``` * Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml * Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `59736e3973`)	2022-07-20 14:31:31 +00:00
Mika Ayenson	ec17d0b54d	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2022-07-18 20:15:19 -04:00
Mika Ayenson	62298d92f4	2058 add setup field to metadata (#2061 ) * Convert config header to setup in note field * Parse note field into separate setup and note field with marko gfm * only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Removed changes from: - rules/cross-platform/impact_hosts_file_modified.toml - rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml - rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml - rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml - rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml - rules/integrations/google_workspace/google_workspace_policy_modified.toml - rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml - rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml - rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml - rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml - rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml - rules/integrations/kubernetes/execution_user_exec_to_pod.toml - rules/windows/credential_access_lsass_memdump_file_created.toml - rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml - rules/windows/defense_evasion_execution_lolbas_wuauclt.toml - rules/windows/defense_evasion_suspicious_certutil_commands.toml - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit `a52751494e`)	2022-07-18 21:25:32 +00:00
Jonhnathan	d8ee4473a2	[Security Content] 8.4 - Add Investigation Guides (#2069 ) * [Security Content] 8.4 - Add Investigation Guides * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Update rules/windows/credential_access_cmdline_dump_tool.toml Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update rules/windows/credential_access_credential_dumping_msbuild.toml Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Removed changes from: - rules/windows/execution_command_shell_started_by_svchost.toml (selectively cherry picked from commit `3a8efc8183`)	2022-07-13 14:29:48 +00:00
Terrance DeJesus	de2a90090c	[New Rule] Domain Trust Enumeration via Nltest (#2010 ) * adding detection rule * removed changes from unrelated rule * adjusted threat technique * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit `329530c8c3`)	2022-07-05 14:49:39 +00:00
Jonhnathan	8011420e71	Update discovery_privileged_localgroup_membership.toml (#2046 ) (cherry picked from commit `853f8db8d0`)	2022-06-30 17:27:15 +00:00
Jonhnathan	0973ac07ef	Update discovery_remote_system_discovery_commands_windows.toml (#2033 ) (cherry picked from commit `c8ff1dc9cb`)	2022-06-14 13:52:02 +00:00
Jonhnathan	835b342a43	Update persistence_sdprop_exclusion_dsheuristics.toml (#2017 ) (cherry picked from commit `b6631f200e`)	2022-06-03 17:22:33 +00:00
Jonhnathan	a51d251e05	Adds logs-system.* index pattern (#2016 ) (cherry picked from commit `f857e009c5`)	2022-06-03 16:57:26 +00:00
Samirbous	29cf0c8f77	[New Rule] Suspicious Microsoft Diagnostics Wizard Execution (#2005 ) * [New Rule] Suspicious Microsoft Diagnostics Wizard Execution https://lolbas-project.github.io/lolbas/Binaries/Msdt/ https://twitter.com/nao_sec/status/1530196847679401984 * Update rules/windows/defense_evasion_proxy_execution_via_msdt.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `d6e96a83d5`)	2022-06-01 15:04:54 +00:00
Jonhnathan	1484c20795	[Security Content] 8.3 Add Investigation Guides - 3 (#1990 ) * [Security Content] 8.3 Add Investigation Guides - 3 * bump date * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> (cherry picked from commit `27f5c2e695`)	2022-05-31 15:59:13 +00:00
Jonhnathan	d575fd4b3c	[Security Content] 8.3 - Add Investigation Guides 2 (#1989 ) * [Security Content] 8.3 - Add Investigation Guides 2 - Initial Commit * . * Add Related rules * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * . * . * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Joe Peeples <joe.peeples@elastic.co> (cherry picked from commit `e5d3c6329c`)	2022-05-31 15:56:50 +00:00
Samirbous	10c2d9de3d	[Rule Tuning] Suspicious MS Office Child Process (#2003 ) added msdt.exe as a response to this in the wild 0day (works without vba and on latest office) -> https://twitter.com/nao_sec/status/1530196847679401984 https://www.virustotal.com/gui/file/4a24048f81afbe9fb62e7a6a49adbd1faf41f266b5f9feecdceb567aec096784/detection (cherry picked from commit `bfea11c99f`)	2022-05-31 12:23:08 +00:00
Jonhnathan	1d69a2bbae	[Promote Rule] Potential Invoke-Mimikatz PowerShell Script (#1993 ) * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml * Update credential_access_mimikatz_powershell_module.toml Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> (cherry picked from commit `1f8813d02f`)	2022-05-25 20:04:28 +00:00
Justin Ibarra	c5e3312727	[Rule tuning] Whitespace Padding in Process Command Line (#1967 ) * [Rule tuning] Whitespace Padding in Process Command Line * bump updated_date * update comment Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `72c186b30b`)	2022-05-23 19:35:44 +00:00
Jonhnathan	18277206f8	[Security Content] 8.3 - Add Investigation Guides (#1937 ) * 8.3 - Add Investigation Guides * Apply suggestions * Apply the refactor * Apply suggestions from Samir * . Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `a1bdf2b564`)	2022-05-19 16:25:46 +00:00
Jonhnathan	7c90f1d4c4	[Security Content] Refactor Existing Investigation Guides (#1959 ) * Initial commit * Update Investigation guides - security-docs review * Update command_and_control_dns_tunneling_nslookup.toml * Update defense_evasion_amsienable_key_mod.toml * Apply security-docs review * Remove dot * Update rules/windows/command_and_control_rdp_tunnel_plink.toml Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply changes from review * Apply the suggestion Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit `817b97f428`)	2022-05-18 16:01:50 +00:00
Jonhnathan	f223e63030	Update command_and_control_common_webservices.toml (#1970 ) (cherry picked from commit `27e6632ecd`)	2022-05-16 17:06:24 +00:00
Samirbous	ca7a148f5a	[New rule] Remote Computer Account DnsHostName Update (#1962 ) * [New rule] Remote Computer Account DnsHostName Update Identifies remote update to a computer account DnsHostName attribute, if the new value is set a valid domain controller DNS hostname and the subject computer name is not a domain controller then it's high likely a preparation step to exploit CVE-2022-26923 in an attempt to elevate privileges from a standard domain user to domain admin privileges : * added MS ref url * Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/privilege_escalation_suspicious_dnshostname_update.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> (cherry picked from commit `19ff825a91`)	2022-05-11 17:42:44 +00:00
Samirbous	36413ad8b2	[New Rule] Potential Local NTLM Relay via HTTP (#1947 ) * [New Rule] Potential Local NTLM Relay via HTTP Detect attempt to elevate privileges via coercing a privileged service to connect to a local rogue HTTP endpoint, leading to NTLM relay, example of logs while testing https://github.com/med0x2e/NTLMRelay2Self (step 5): * Update credential_access_relay_ntlm_auth_via_http_spoolss.toml * Update credential_access_relay_ntlm_auth_via_http_spoolss.toml Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> (cherry picked from commit `03836d45fa`)	2022-05-06 19:09:27 +00:00
Terrance DeJesus	5769a21867	[Rule Tuning] Update Rule Content Changes from Security Docs Team (#1945 ) * updated content to reflect changes from Security Docs team * Update rules/linux/execution_flock_binary.toml * Update rules/linux/execution_expect_binary.toml * TOML linting * added escape for crdential_access_spn_attribute_modified.toml (cherry picked from commit `e9f5585a9f`)	2022-05-06 17:23:22 +00:00
Samirbous	6a6d49a362	[New Rule] Service Creation via Local Kerberos Authentication (#1941 ) * [New Rule] Suspicious Service Creation via Local Kerberos Relay over LDAP This rule will catch also the suspicious service that was created leveraging the imported kerberos ticket https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82 which makes triage easier : DATA : ``` "sequences" : [ { "join_keys" : [ "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "0xefac5f" ], "events" : [ { "_index" : ".ds-logs-system.security-default-2022.04.12-000003", "_id" : "XAy1YoABQhClK0XGpqaL", "_source" : { "agent" : { "name" : "02694w-win10", "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "type" : "filebeat", "ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04", "version" : "8.0.0" }, "process" : { "name" : "-", "pid" : 0, "executable" : "-" }, "winlog" : { "computer_name" : "02694w-win10.threebeesco.com", "process" : { "pid" : 688, "thread" : { "id" : 5160 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x0", "type" : "Network" }, "channel" : "Security", "event_data" : { "LogonGuid" : "{82d3503b-9dac-ab6d-b045-8877b5aab051}", "TargetOutboundDomainName" : "-", "VirtualAccount" : "%%1843", "LogonType" : "3", "TransmittedServices" : "-", "SubjectLogonId" : "0x0", "LmPackageName" : "-", "TargetOutboundUserName" : "-", "KeyLength" : "0", "RestrictedAdminMode" : "-", "TargetLogonId" : "0xefac5f", "SubjectUserName" : "-", "TargetLinkedLogonId" : "0x0", "ElevatedToken" : "%%1842", "SubjectDomainName" : "-", "ImpersonationLevel" : "%%1833", "TargetUserName" : "Administrator", "TargetDomainName" : "THREEBEESCO.COM", "LogonProcessName" : "Kerberos", "SubjectUserSid" : "S-1-0-0", "TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500", "AuthenticationPackageName" : "Kerberos" }, "opcode" : "Info", "version" : 2, "record_id" : "59330", "task" : "Logon", "event_id" : "4624", "provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}", "activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "version" : "8.0.0", "snapshot" : false }, "source" : { "port" : 50494, "ip" : "127.0.0.1", "domain" : "-" }, "message" : """An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-308926384-506822093-3341789130-500 Account Name: Administrator Account Domain: THREEBEESCO.COM Logon ID: 0xEFAC5F Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {82d3503b-9dac-ab6d-b045-8877b5aab051} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 127.0.0.1 Source Port: 50494 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-04-25T21:09:04.559Z", "ecs" : { "version" : "1.12.0" }, "related" : { "ip" : [ "127.0.0.1" ], "user" : [ "Administrator" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "02694w-win10", "os" : { "build" : "18363.815", "kernel" : "10.0.18362.815 (WinBuild.160101.0800)", "name" : "Windows 10 Enterprise", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name" : "02694w-win10.threebeesco.com", "id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac" : [ "00:50:56:03:c6:93" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-04-25T21:51:53Z", "code" : "4624", "provider" : "Microsoft-Windows-Security-Auditing", "kind" : "event", "created" : "2022-04-25T21:51:15.561Z", "action" : "logged-in", "category" : [ "authentication" ], "type" : [ "start" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "THREEBEESCO.COM", "name" : "Administrator", "id" : "S-1-5-21-308926384-506822093-3341789130-500" } } }, { "_index" : ".ds-logs-system.security-default-2022.04.12-000003", "_id" : "Xwy1YoABQhClK0XGpqaL", "_source" : { "agent" : { "name" : "02694w-win10", "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04", "type" : "filebeat", "version" : "8.0.0" }, "winlog" : { "computer_name" : "02694w-win10.threebeesco.com", "process" : { "pid" : 688, "thread" : { "id" : 5160 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0xefac5f" }, "channel" : "Security", "event_data" : { "ServiceAccount" : "LocalSystem", "SubjectUserName" : "Administrator", "ServiceStartType" : "3", "ServiceName" : "KrbSCM", "ServiceType" : "0x10", "SubjectDomainName" : "3B", "SubjectLogonId" : "0xefac5f", "SubjectUserSid" : "S-1-5-21-308926384-506822093-3341789130-500", "ServiceFileName" : "\"C:\\Users\\lgreen\\Downloads\\KrbRelayUp.exe\" system 1" }, "opcode" : "Info", "record_id" : "59331", "task" : "Security System Extension", "event_id" : "4697", "provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}", "activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "version" : "8.0.0", "snapshot" : false }, "message" : """A service was installed in the system. Subject: Security ID: S-1-5-21-308926384-506822093-3341789130-500 Account Name: Administrator Account Domain: 3B Logon ID: 0xEFAC5F Service Information: Service Name: KrbSCM Service File Name: "C:\Users\lgreen\Downloads\KrbRelayUp.exe" system 1 Service Type: 0x10 Service Start Type: 3 Service Account: LocalSystem""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-04-25T21:09:04.561Z", "ecs" : { "version" : "1.12.0" }, "related" : { "user" : [ "Administrator" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "service" : { "name" : "KrbSCM", "type" : "Win32 Own Process" }, "host" : { "hostname" : "02694w-win10", "os" : { "build" : "18363.815", "kernel" : "10.0.18362.815 (WinBuild.160101.0800)", "name" : "Windows 10 Enterprise", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name" : "02694w-win10.threebeesco.com", "id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac" : [ "00:50:56:03:c6:93" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-04-25T21:51:53Z", "code" : "4697", "provider" : "Microsoft-Windows-Security-Auditing", "created" : "2022-04-25T21:51:15.561Z", "kind" : "event", "action" : "service-installed", "category" : [ "iam", "configuration" ], "type" : [ "admin", "change" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "3B", "name" : "Administrator", "id" : "S-1-5-21-308926384-506822093-3341789130-500" } } } ] ```` * Update privilege_escalation_krbrelayup_service_creation.toml * removed duplicate SubjectLogonId from non ecs fields list (cherry picked from commit `3f047b987e`)	2022-04-29 12:38:41 +00:00
Samirbous	b025d3a764	[New Rule] Potential Privileged Escalation via KrbRelayUp (#1940 ) * [New Rule] Potential Privileged Escalation via KrbRelayUp Identifies a suspicious local successful logon event where the Logon Package is kerberos, the remote address is set to localhost and the target user SID is the builtin local Administrator account, this may indicate an attempt to leverage a Kerberos relay attack variant that can be used to elevate privilege locally from filtered administrator token to a token with full System privileges. https://github.com/Dec0ne/KrbRelayUp DATA : ``` { "_index" : ".ds-logs-system.security-default-2022.04.12-000003", "_id" : "Cwy1YoABQhClK0XGfqEU", "_source" : { "agent" : { "name" : "02694w-win10", "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "type" : "filebeat", "ephemeral_id" : "6c751494-97a3-46aa-bab2-5baf01d17d04", "version" : "8.0.0" }, "process" : { "name" : "-", "pid" : 0, "executable" : "-" }, "winlog" : { "computer_name" : "02694w-win10.corpcorp.com", "process" : { "pid" : 688, "thread" : { "id" : 9384 } }, "keywords" : [ "Audit Success" ], "logon" : { "id" : "0x0", "type" : "Network" }, "channel" : "Security", "event_data" : { "LogonGuid" : "{daac0d7c-3273-752c-bf5d-ea1c60851819}", "TargetOutboundDomainName" : "-", "VirtualAccount" : "%%1843", "LogonType" : "3", "TransmittedServices" : "-", "SubjectLogonId" : "0x0", "LmPackageName" : "-", "TargetOutboundUserName" : "-", "KeyLength" : "0", "RestrictedAdminMode" : "-", "TargetLogonId" : "0xebd3d4", "SubjectUserName" : "-", "TargetLinkedLogonId" : "0x0", "ElevatedToken" : "%%1842", "SubjectDomainName" : "-", "TargetUserName" : "Administrator", "ImpersonationLevel" : "%%1833", "LogonProcessName" : "Kerberos", "TargetDomainName" : "CORPCORP.COM", "SubjectUserSid" : "S-1-0-0", "AuthenticationPackageName" : "Kerberos", "TargetUserSid" : "S-1-5-21-308926384-506822093-3341789130-500" }, "opcode" : "Info", "version" : 2, "record_id" : "59063", "task" : "Logon", "event_id" : "4624", "provider_guid" : "{54849625-5478-4994-a5ba-3e3b0328c30d}", "activity_id" : "{e22af019-58dd-0002-43f0-2ae2dd58d801}", "api" : "wineventlog", "provider_name" : "Microsoft-Windows-Security-Auditing" }, "log" : { "level" : "information" }, "elastic_agent" : { "id" : "77a829ec-a564-44d5-9bc4-61eeefbf783a", "version" : "8.0.0", "snapshot" : false }, "source" : { "port" : 50480, "ip" : "127.0.0.1", "domain" : "-" }, "message" : """An account was successfully logged on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Information: Logon Type: 3 Restricted Admin Mode: - Virtual Account: No Elevated Token: Yes Impersonation Level: Impersonation New Logon: Security ID: S-1-5-21-308926384-506822093-3341789130-500 Account Name: Administrator Account Domain: CORPCORP.COM Logon ID: 0xEBD3D4 Linked Logon ID: 0x0 Network Account Name: - Network Account Domain: - Logon GUID: {daac0d7c-3273-752c-bf5d-ea1c60851819} Process Information: Process ID: 0x0 Process Name: - Network Information: Workstation Name: - Source Network Address: 127.0.0.1 Source Port: 50480 Detailed Authentication Information: Logon Process: Kerberos Authentication Package: Kerberos Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon session is created. It is generated on the computer that was accessed. The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network). The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on. The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The impersonation level field indicates the extent to which a process in the logon session can impersonate. The authentication information fields provide detailed information about this specific logon request. - Logon GUID is a unique identifier that can be used to correlate this event with a KDC event. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.""", "input" : { "type" : "winlog" }, "@timestamp" : "2022-04-25T21:07:15.306Z", "ecs" : { "version" : "1.12.0" }, "related" : { "ip" : [ "127.0.0.1" ], "user" : [ "Administrator" ] }, "data_stream" : { "namespace" : "default", "type" : "logs", "dataset" : "system.security" }, "host" : { "hostname" : "02694w-win10", "os" : { "build" : "18363.815", "kernel" : "10.0.18362.815 (WinBuild.160101.0800)", "name" : "Windows 10 Enterprise", "family" : "windows", "type" : "windows", "version" : "10.0", "platform" : "windows" }, "ip" : [ "fe80::7587:a5c1:5a7b:68f6", "172.16.66.25" ], "name" : "02694w-win10.corpcorp.com", "id" : "6a3c3ef2-208f-4d6f-90ee-b34f4e3fd160", "mac" : [ "00:50:56:03:c6:93" ], "architecture" : "x86_64" }, "event" : { "agent_id_status" : "verified", "ingested" : "2022-04-25T21:51:43Z", "code" : "4624", "provider" : "Microsoft-Windows-Security-Auditing", "kind" : "event", "created" : "2022-04-25T21:51:08.433Z", "action" : "logged-in", "category" : [ "authentication" ], "type" : [ "start" ], "dataset" : "system.security", "outcome" : "success" }, "user" : { "domain" : "CORPCORP.COM", "name" : "Administrator", "id" : "S-1-5-21-308926384-506822093-3341789130-500" } } } ``` * Update privilege_escalation_krbrelayup_suspicious_logon.toml * Update privilege_escalation_krbrelayup_suspicious_logon.toml * Update privilege_escalation_krbrelayup_suspicious_logon.toml * Update privilege_escalation_krbrelayup_suspicious_logon.toml * Update privilege_escalation_krbrelayup_suspicious_logon.toml * Update rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> * Update rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update etc/non-ecs-schema.json Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> (cherry picked from commit `a0672c7d2a`)	2022-04-26 23:41:59 +00:00

1 2

66 Commits