e9d7ddfa35
[Rule Tuning]: Fix threat_index and filters in Rapid7 CVE rule ( #3800 )
...
* Fix index and filters in Rapid7 CVE rule
* change updated date
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-20 15:17:06 -04:00
c20318d0d0
[New Rule] Potential Privilege Escalation via Service ImagePath Modification ( #3757 )
...
* [New Rule] Potential Privilege Escalation via Service ImagePath Modification
* Update privilege_escalation_reg_service_imagepath_mod.toml
* [New Rule] NTDS Dump via Wbadmin
* Revert "[New Rule] NTDS Dump via Wbadmin"
This reverts commit 09fd513b1e8b35e22c7d1a371b0aa5aa4837cdc5.
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update privilege_escalation_reg_service_imagepath_mod.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-20 10:41:53 -03:00
236444200b
[New Rule] NTDS Dump via Wbadmin ( #3758 )
...
* [New Rule] NTDS Dump via Wbadmin
* Update rules/windows/credential_access_wbadmin_ntds.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-20 09:55:07 -03:00
3fd9bae611
[New Rule] Potential WPAD Spoofing via DNS Record Creation ( #3748 )
2024-06-20 09:34:27 -03:00
6a0ac563a0
Create defense_evasion_reg_disable_enableglobalqueryblocklist.toml ( #3734 )
2024-06-20 09:23:06 -03:00
51b9717ac0
Adding setup templates to the ML rules ( #3798 )
...
* Added setup instructions for ml rules
2024-06-19 10:04:41 -04:00
c1dcd21531
Closes #2216 ( #2855 )
...
* Update privilege_escalation_sts_assumerole_usage.toml
* Update privilege_escalation_sts_assumerole_usage.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2024-06-13 16:52:54 -04:00
020ca4be24
[New Rule] Rapid7 Threat Command CVEs Correlation ( #3718 )
...
* new rule 'Rapid7 Threat Command CVEs Correlation'
* Update rules/threat_intel/threat_intel_rapid7_threat_command.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated threat index and tags
* changed 'indicator match' to 'threat match' for tags
* removed timeline
* updating integrations to match main
* re-adding rapid7 threat command integration manifest and schema
* reverting changes; removing timeline
* changed max signals to 10000
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-12 18:01:44 -04:00
4eff7c6c87
[New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll ( #3717 )
...
* [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll
* Update privilege_escalation_dns_serverlevelplugindll.toml
* Update privilege_escalation_dns_serverlevelplugindll.toml
* Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-12 15:18:31 -03:00
89d89f15d2
Update FIM integration Setup sequence ( #3781 )
2024-06-12 16:40:45 +05:30
0a69c19c83
Update Minstack versions for SentinelOne rules ( #3777 )
2024-06-11 18:58:26 +05:30
8baf5dc2d8
Add exceptions to C2 Beaconing Activity ( #3771 )
2024-06-11 18:43:46 +05:30
ec223a4a05
[New Rule] Suspicious File Modification ( #3746 )
...
* [New Rule] Suspicious File Modification
* Update persistence_suspicious_file_modifications.toml
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_suspicious_file_modifications.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Updates
* Update rules/integrations/fim/persistence_suspicious_file_modifications.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-06-11 13:03:20 +02:00
c87c4c9f5d
[New Rules] PAM Module Creation & Unusual PAM Grantor ( #3743 )
...
* [New Rules] PAM Module Creation & Unusual PAM Grantor
* Update persistence_unusual_pam_grantor.toml
* Update persistence_pluggable_authentication_module_creation.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
* Update persistence_pluggable_authentication_module_creation.toml
* Update persistence_unusual_pam_grantor.toml
* Update rules/linux/persistence_pluggable_authentication_module_creation.toml
2024-06-11 11:51:33 +02:00
4cf0c2b9af
[Rule Tuning] Systemd-udevd Rule File Creation ( #3738 )
...
* [Rule Tuning] Systemd-udevd Rule File Creation
* Incompatible endgame field
* Update rules/linux/persistence_udev_rule_creation.toml
* Update rules/linux/persistence_udev_rule_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_udev_rule_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_udev_rule_creation.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-11 11:40:54 +02:00
4003219aa1
[New Rule] APT Package Manager Configuration File Creation ( #3739 )
...
* [New Rule] APT Package Manager Configuration File Creation
* Update rules/linux/persistence_apt_package_manager_file_creation.toml
* Update persistence_apt_package_manager_file_creation.toml
2024-06-11 09:43:35 +02:00
62eea772d0
[New Rule] AWS S3 Bucket Ransom Note Uploaded ( #3604 )
...
* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement'
* fixed technique mapping
* added investigation guide; added more ransom note extensions
* adjusted lookback and maxspan
* added API call to second sequence
* updating date
* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* changed rule to ESQL; updated investigation guide
* changed file name
* removed txt, ecc, and note
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-10 10:47:20 -04:00
74f049cc7c
[New Rule] Network Connection Initiated by SSH Parent Process ( #3759 )
...
* [New Rule] Network Connection Initiated by SSH Parent Process
* Update persistence_ssh_netcon.toml
* Update rules/linux/persistence_ssh_netcon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_ssh_netcon.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update persistence_ssh_netcon.toml
* Update persistence_ssh_netcon.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-10 10:30:45 +02:00
29bb52d2fb
[New Rule] Netcon through XDG Autostart Entry ( #3741 )
...
* [New Rule] Netcon through XDG Autostart Entry
* Update rules/linux/persistence_xdg_autostart_netcon.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update persistence_xdg_autostart_netcon.toml
* Update persistence_xdg_autostart_netcon.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-10 10:17:09 +02:00
70496f813f
[New Rule] Executable Bit Set for rc.local/rc.common ( #3736 )
...
* [New Rule] Executable Bit Set for rc.local/rc.common
* Endgame compatibility
* Update rules/linux/persistence_rc_local_common_executable_bit_set.toml
2024-06-10 09:57:14 +02:00
e1cbf9f684
[New rules] AWS IAM AdministratorAccess Policy Attached to : User, Group, Role(es|ql) ( #3735 )
...
* [New Rule] AWS IAM AdministratorAccess Policy Attached to User
issue...
* add source.address and source.geo.location
* fix threat tactic ids
* AdministratorAccess Policy Attached to Group
* AdminstratoAccess Policy Attached to Role
* reduce severity to medium
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-07 18:31:06 -04:00
087e8a6e85
[Rule Tuning] User Added to Privileged Group ( #3763 )
...
* [New Rule] User Added to Privileged Group
* add more groups
* Update rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update persistence_user_account_added_to_privileged_group_ad.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-06-07 13:43:30 -03:00
d3e2f70ce2
[New Rule] Process Capability Set via setcap Utility ( #3744 )
...
* [New Rule] Process Capability Set via setcap Utility
* ++
* Update rules/linux/persistence_process_capability_set_via_setcap.toml
2024-06-06 12:44:31 +02:00
8e6114f76c
[Rule Tuning] System Binary Moved or Copied ( #3742 )
...
* [Rule Tuning] System Binary Moved or Copied
* Added reference
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
2024-06-06 12:24:48 +02:00
61ab035f41
[Rule Tuning] Potential Sudo Hijacking ( #3745 )
...
* [Rule Tuning] Potential Sudo Hijacking
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
* Update rules/linux/privilege_escalation_sudo_hijacking.toml
2024-06-06 11:59:26 +02:00
342fde097f
[New Rule] SSH Key Generated via ssh-keygen ( #3731 )
...
* [New Rule] SSH Key Generated via ssh-keygen
* ++
* Update rules/linux/persistence_ssh_key_generation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-06-06 11:50:38 +02:00
9f67585332
[New Rule] AWS EC2 Instance Connect SSH Public Key Uploaded ( #3634 )
...
* new rule 'AWS EC2 Instance Connect SSH Public Key Uploaded'
* changed tactic to privilege escalation
* added additional reference
* added investigation guide
* updated summary
* changed risk score to medium; adjusted tags
* fixed mitre mapping
* Update rules/integrations/aws/privilege_escalation_ec2_instance_connect_ssh_public_key_uploaded.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-05 10:33:42 -04:00
05ac4e1bd3
[New Rule] AWS Systems Manager SecureString Parameter Request with Decryption Flag ( #3590 )
...
* new rule 'First Occurrence of Resource Accessing AWS Systems Manager SecureString Parameters with Decryption Flag'
* updated rule contents
* added investigation guide; changed new terms to uder.id
* adjusted time window
* adjusted rule name
* updated query, adjusted new terms value
2024-06-05 10:22:38 -04:00
c77eb1d915
[New Rule] AWS IAM Roles Anywhere Profile Creation and Trusted Anchor with External CA Created ( #3609 )
...
* new rule 'AWS IAM Roles Anywhere Role Creation'
* adjusted rule to focus on Roles Anywhere profile creation
* added rule for roles anywhere trusted anchor; updated rule file naming
* added investigation guide
* added investigation guide
* adjusted rule and file name
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/integrations/aws/persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-05 10:10:53 -04:00
5f36f3a03e
[Rule Tuning] Shell Configuration Creation or Modification ( #3732 )
...
* [Rule Tuning] Shell Configuration Creation or Modification
* Incompatible endgame field
* Update rules/linux/persistence_shell_configuration_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-05 10:28:13 +02:00
e41a57f2ad
[Rule Tuning] Message-of-the-Day (MOTD) ( #3730 )
...
* [Rule Tuning] Message-of-the-Day (MOTD)
* Update persistence_message_of_the_day_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-05 10:18:30 +02:00
bebf671881
[Rule Tuning] Systemd Service & Timer ( #3728 )
...
* [Rule Tuning] Systemd Service & Timer
* Update
* Update persistence_systemd_scheduled_timer_created.toml
* Update persistence_systemd_service_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_systemd_service_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-05 10:01:15 +02:00
81ee6380ec
[New Rule & Tuning] (Ana)Cron & At Job Creation ( #3726 )
...
* [New Rule & Tuning] (Ana)Cron & At Job Creation
* Update persistence_at_job_creation.toml
* Update persistence_cron_job_creation.toml
* ++
* Incompatible endgame field
* Update rules/linux/persistence_at_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/persistence_cron_job_creation.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-06-05 09:53:42 +02:00
e357a2c050
Refresh MITRE Attack v15.1.0 ( #3725 )
2024-06-04 20:14:58 +05:30
59b7e3bde4
[New Rule] Rapid Secret Retrieval Attempts from AWS SecretsManager ( #3589 )
...
* new rule 'Rapid Secret Retrieval Attempts from AWS SecretsManager'
* updated user identity arn to user.id for cross-service password retrieval
* added investigation guides; bumped dates; adjusted threshold value
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/credential_access_new_terms_secretsmanager_getsecretvalue.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-04 09:20:04 -04:00
90bb8b53d8
[Rule Tuning] Agent Spoofing ( #3729 )
2024-06-03 19:28:24 +02:00
0885032b2c
[New Rule] AWS Lambda Function Policy Updated To Allow Public Invocation ( #3632 )
...
* new rule 'AWS Lambda Function Policy Updated To Allow Public Invocation'
* updated rule UUID
* added investigation guide
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/aws/persistence_lambda_backdoor_invoke_function_for_any_principal.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-06-03 11:42:38 -04:00
856c6c5a1f
[New Rule] AWS EC2 EBS Snapshot Shared with Another Account ( #3601 )
...
* new rule 'AWS EC2 EBS Snapshot Shared with Another Account'
* added investigation guide
* updated rule name
* converted to ES|QL
* reverting non-ecs update
2024-06-02 10:30:08 -04:00
70469b4cdb
[New Rule] AWS Lambda Layer Added to Existing Function ( #3631 )
...
* new rule 'AWS Lambda Layer Added to Existing Function'
* updated query logic; added investigation note
2024-06-02 08:41:04 -04:00
7c82e75cf4
[New Rule] AWS S3 Bucket Policy Added to Share with External Account ( #3603 )
...
* new rule 'AWS S3 Bucket Policy Added to Share with External Account'
* added investigation guide
* Update rules/integrations/aws/exfiltration_s3_bucket_policy_added_for_external_account_access.toml
2024-06-01 10:31:41 -04:00
23ce41d8af
[New Rule] AWS GetCallerIdentity API Called for the First Time ( #3711 )
...
* [New Rule] AWS GetCallerIdentity API Called for the First Time
issue
* Apply suggestions from code review
name change, false positive additions, remove Setup, change new_terms window from 15d to 10d
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/integrations/aws/discovery_new_terms_sts_getcalleridentity.toml
fixed missing closing quotes
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-31 17:55:06 -04:00
418a95205e
Remove unwanted backticks ( #3724 )
2024-05-31 21:46:24 +05:30
34294fbe6d
Add exceptions to brute force threshold rule. ( #3712 )
...
High volume, machine generated failures or MFA interruptions have been added to the rule.
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-05-30 10:12:36 +02:00
8b28a515c1
Update rule setup instructions for UEBA packages ( #3652 )
...
* update detection-rules instructions for UEBA packages
---------
Co-authored-by: Susan <23287722+susan-shu-c@users.noreply.github.com >
2024-05-28 14:21:46 -05:00
d5c57463e1
[New Rule] First Occurrence of AWS Resource Starting SSM Session to EC2 Instance ( #3598 )
...
* new rule 'First Occurrence of AWS Resource Starting SSM Session to EC2 Instance'
* added investigation guide
* changed file name to match tactic
* changed reference
* updated tags
* updated investigation notes
* changed new terms value; adjusted rule name
2024-05-28 11:23:17 -04:00
527f785a60
[New Rule] AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports ( #3599 )
...
* new rule 'AWS EC2 VPC Security Group Rule Added for Any Address or Remote Access Ports'
* updated rule name
* changed file name; added false-positive note
* changed rule UUID
* adjusted file name
* updated tags
* added investigation guide; updated query logic
* Update rules/integrations/aws/defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* updated query and name
* updated query optimization
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2024-05-28 10:49:20 -04:00
390629da4e
[New Rule & Tunings] Linux Springtail Backdoor ( #3692 )
...
* [New Rules and Tuning] Springtail backdoor
* consistency formatting
* update
* unit testing formatting change
* Update persistence_systemd_service_started.toml
* Update persistence_systemd_service_started.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
2024-05-24 10:10:11 +02:00
603f3c313a
Update impact_high_freq_file_renames_by_kernel.toml ( #3707 )
2024-05-23 17:59:58 +01:00
63e91c2f12
Back-porting Version Trimming ( #3704 )
2024-05-23 00:45:10 +05:30
2c3dbfc039
Revert "Back-porting Version Trimming ( #3681 )"
...
This reverts commit 71d2c59b5c
2024-05-22 13:51:46 -05:00
Krishna Chaitanya Reddy Burri