sigma-rules

Author	SHA1	Message	Date
eric-forte-elastic	ea26ea77d7	[FR] Update build-release to support bbr release (#2987 ) * Fixes bug in unit tests * fix rule paths * removed unused import	2023-07-31 15:20:18 -04:00
Ruben Groenewoud	b8bb2da932	[New Rule] Potential Privilege Escalation via OverlayFS (#2974 ) * [New Rule] Privilege Escalation via OverlayFS * Layout change * Revert "[New Rule] Privilege Escalation via OverlayFS" This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26. * Made rule broader * Update privilege_escalation_overlayfs_local_privesc.toml * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml * Update user.id to strings --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-07-31 19:15:11 +02:00
Jonhnathan	d1db3a0048	[New Rule] Building Block Rules - Part 4 (#2926 ) * [New Rule] Building Block Rules - Part 4 * Update discovery_win_network_connections.toml * Update privilege_escalation_unquoted_service_path.toml * Update rules_building_block/discovery_win_network_connections.toml * Update rules_building_block/privilege_escalation_unquoted_service_path.toml * Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml * Update discovery_net_share_discovery_winlog.toml	2023-07-31 11:03:57 -03:00
Eric	1e769c51b6	Tune Unusual File Activity ADS for Teams weblogs (#2929 ) Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-31 10:41:31 -03:00
Jonhnathan	6966a6df09	[New Rule] Building Block Rules - Part 3 (#2924 ) * [New Rule] Building Block Rules - Part 3 * Update defense_evasion_generic_deletion.toml * Update defense_evasion_generic_deletion.toml * Update defense_evasion_generic_deletion.toml * Apply suggestions from code review * Update rules_building_block/discovery_generic_account_groups.toml * Apply suggestions from code review --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-31 10:28:25 -03:00
Mika Ayenson	3813a08f59	[FR] Add support for BBR rules to the rule loader (#2968 ) --------- Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>	2023-07-27 11:27:04 -05:00
Mika Ayenson	77b43d16e8	[FR] Generate Prebuilt Rules Reference Page (#2964 )	2023-07-27 11:05:31 -05:00
Jonhnathan	9387a081bc	[Security Content] Add Investigation Guides to Threat Intel rules (#2827 ) * [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules * . * Update threat_intel_indicator_match_hash.toml * Update to include expiring rules, exclude expiring indexes * . * Apply suggestions from code review * Push changes * Update pyproject.toml * Revert "Update pyproject.toml" This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7. * Update pyproject.toml * Update integration-schemas.json.gz * Revert "Update integration-schemas.json.gz" This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d. * Revert integrations-manifests to the one from main * Fix maturity * Update Name * Update ignore_ids with the indicator rules guid * Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml * Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml * Make changes to use labels * Update non-ecs-schema.json * Update rules/cross-platform/threat_intel_fleet_integrations.toml * Apply suggestions from code review * Backport to 8.5 * [Security Content] Add Investigation Guides to Threat Intel rules * Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators * Update threat_intel_indicator_match_hash.toml * Update threat_intel_indicator_match_url.toml * Update threat_intel_indicator_match_url.toml * Apply suggestions from review, adds Setup guide * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>	2023-07-27 11:30:14 -03:00
Ruben Groenewoud	bbb24704b6	[New Rule] PE through Writable Docker Socket (#2958 ) * [New Rule] PE through Writable Docker Socket * simplified query * Update privilege_escalation_writable_docker_socket.toml * Update privilege_escalation_writable_docker_socket.toml * Update rules/linux/privilege_escalation_writable_docker_socket.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-27 10:01:29 +02:00
Ruben Groenewoud	0666b594c6	[New Rule] Linux Local Account Brute Force (#2965 )	2023-07-27 09:43:53 +02:00
Jonhnathan	0ff50acfd2	[Rule Tuning] Tune Threat Indicator Match Rules (#2957 ) * [Rule Tuning] Tune Threat Indicator Match Rules * Update threat_intel_indicator_match_url.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-26 15:12:28 -03:00
Ruben Groenewoud	b330cf9438	[New Rule] Pspy Process Monitoring Detected (#2945 ) * [New Rule] Pspy Process Monitoring Detected * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 15:58:33 +02:00
Ruben Groenewoud	9cc4b0e348	[New BBR] Potential Suspicious File Edit (#2960 ) * [New BBR] Potential Suspicious File Edit * Added a few more interesting files --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2023-07-26 15:22:56 +02:00
shashank-elastic	6527eb0500	Rule Tuning File Permission Modification in Writable Directory (#2961 )	2023-07-26 17:47:00 +05:30
Eric	d0d99829a2	Correct misspelling of AppDara to AppData (#2952 ) Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 08:10:03 -03:00
Ruben Groenewoud	056db6003e	[Security Content] Added Compatibility note to all IGs (#2943 ) * added investigation guide note * added ig notes * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * implemented note feedback * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 12:54:50 +02:00
Ruben Groenewoud	dbd7ed65a9	[Tuning] Reverse Shell Rules (#2959 ) * [Rule Tuning] Reverse Shell Rule destination.ip tuning * Updated updated_date	2023-07-25 14:55:56 +02:00
shashank-elastic	93845626b7	Potential Cross Site Scripting ( XSS ) (#2922 )	2023-07-20 19:12:00 +05:30
shashank-elastic	8b808b9b83	New Cross Platform BBR Rules (#2920 )	2023-07-19 21:27:23 +05:30
Ruben Groenewoud	8de2684498	[Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868 ) * [Investigation Guide] 10 new Linux IG's 8.9 * Added 4 more IG tags * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_account_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_added_to_privileged_group.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * implemented feedback --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-19 17:13:24 +02:00
Samirbous	97d429e314	[New] Suspicious Microsoft 365 Mail Access by ClientAppId (#2933 ) * [New] Suspicious Microsoft 365 Mail Access by ClientAppId Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html * Update initial_access_microsoft_365_abnormal_clientappid.toml * Update initial_access_microsoft_365_abnormal_clientappid.toml	2023-07-19 16:05:13 +01:00
shashank-elastic	f920bc6151	New Linux BBR Rules (#2917 )	2023-07-19 20:12:59 +05:30
Jonhnathan	5e714e01e6	[Security Content] Add Windows Investigation Guides (#2825 ) * [Security Content] Add Windows Investigation Guides * Apply suggestions from code review Co-authored-by: Joe Peeples <joe.peeples@elastic.co> * Add IG Tag * Apply suggestions from code review Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Joe Peeples <joe.peeples@elastic.co> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-07-19 08:07:01 -03:00
Jonhnathan	d1491c3ce1	[Rule Tuning] Threat Intel URL Indicator Match (#2902 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-07-18 20:21:15 -03:00
Jonhnathan	f1ba092864	[Deprecation] Threat Intel Indicator Match - General Rules (#2901 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-18 20:12:53 -03:00
Jonhnathan	7949b8a03e	[New Rule] Building Block Rules - Part 1 (#2912 ) * [New Rule] Building Block Rules - Part 1 * Update defense_evasion_powershell_clear_logs_script.toml * Update discovery_posh_generic.toml * . * Apply suggestions from code review Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-07-18 20:01:43 -03:00
Jonhnathan	23a133121d	[Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932 )	2023-07-18 08:55:59 -03:00
Isai	80e2b699b6	[New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container (#2837 ) * [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container new rule * removed priv_esc tag removed priv_esc tag * adjusted tags adjusted tags * updated tags --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-17 15:03:24 -04:00
Isai	db90345fd5	[Rule Tuning] Kubernetes Anonymous Request Authorized (#2865 ) * rule tuning for exclusions * optimized query --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-17 13:03:05 -04:00
Isai	0b64638bf7	[New Rule] AWS Credentials Searched For Inside a Container (#2887 ) * new rule toml * Updated query updated query based on review and added additional search queries * updated rule query based on review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-17 12:29:02 -04:00
Terrance DeJesus	0f5b5a3551	[Rule Tuning] Add Okta Investigation Guides Part 1 (#2899 ) * adding investigation guides for Okta rules * Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * added MFA to investigation guide for brute forcing --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-07-17 11:47:02 -04:00
Jonhnathan	fca8bcc071	[Rule Tuning] PowerShell Rule Tunings (#2907 ) * [Rule Tuning] PowerShell Rule Tunings * bump	2023-07-14 15:41:36 -03:00
Terrance DeJesus	9f29129585	[FR] Add EQL Rule Type Configuration Fields (#2918 ) * adding initial EQL fields to EQLRuleData * added validation * adjusted validation * fixed flake errors * adjusted type linting; variable names * added a min_compat to EQL Rule fields * Update detection_rules/rule_validators.py * Update detection_rules/rule_validators.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-07-13 11:20:14 -04:00
github-actions[bot]	9414095d96	Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 (#2921 ) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9 * adding newline to start CI * removing newline --------- Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-07-11 19:57:02 -04:00
shashank-elastic	3ed8c56942	DR Linux Rule Tuning 8.9 (#2859 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-07-10 20:02:42 +05:30
Remco Sprooten	1283a21fb7	[New Rules] Potential portscan detected (#2817 ) * [New Rules] Potential portscan detected * Updated descriptions * Update rules/network/discovery_potential_syn_port_scan_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/network/discovery_potential_network_sweep_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/network/discovery_potential_port_scan_detected.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * updating integration manifests and schemas --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2023-07-09 09:49:32 +02:00
Mika Ayenson	90bc760c56	Update README.md to fix etc path (#2913 )	2023-07-06 15:00:45 -04:00
Ruben Groenewoud	e5d6d6e4a7	[New Rule] sus cmds executed by unknown executable (#2858 ) * [New Rule] sus cmds executed by unknown executable * added an event.action filter * Added endgame support, fixed stack version comment * Update execution_suspicious_executable_running_system_commands.toml * Update rules/linux/execution_suspicious_executable_running_system_commands.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update execution_suspicious_executable_running_system_commands.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-06 17:32:56 +02:00
Ruben Groenewoud	4e0b7427b7	[New Rules] ftp/rdp bruteforce (#2910 ) * [New Rules] ftp/rdp bruteforce * Update credential_access_potential_successful_linux_ftp_bruteforce.toml * Update credential_access_potential_successful_linux_rdp_bruteforce.toml * Update non-ecs-schema.json * Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-06 17:16:01 +02:00
Ruben Groenewoud	d5dee5a6c8	[New Rules] sysctl and modprobe enumeration (#2844 ) * [New Rules] sysctl and modprobe enumeration * Update discovery_linux_modprobe_enumeration.toml * Update discovery_linux_sysctl_enumeration.toml * reverted manifest/schema update * updated tags * Update discovery_linux_modprobe_enumeration.toml	2023-07-06 16:46:54 +02:00
Terrance DeJesus	cd7a52f1b1	[Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895 ) * forking rules with version collisions * Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml * Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml * Update rules/windows/credential_access_suspicious_lsass_access_generic.toml * Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml * Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml * Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml * Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml	2023-07-06 10:39:20 -04:00
Ruben Groenewoud	64b3fa8d1d	[New Rule] Kernel Load/Unload via Kexec Detected (#2846 ) * [New Rule] Kernel Load/Unload via Kexec * Added additional references * changed rule name * changed the query to be more precise * Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * changed description based on feedback * Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>	2023-07-06 16:03:27 +02:00
Ruben Groenewoud	646c316b66	[New Rules] Linux Reverse Shells (#2905 ) * [New Rules] Linux Reverse Shells * [New Rules] Linux Reverse Shells * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Delete UDP rule to add in separate PR * Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Deleted one rule and tuned the others * Improved the rules' performance * Added the reverse_tcp rule back after tuning * Update execution_shell_via_lolbin_interpreter_linux.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-07-06 15:27:57 +02:00
eric-forte-elastic	9e5f69dc5b	[FR] Add additional verification to BBR unit tests (#2909 ) * Fixes bug in unit tests * fix linting	2023-07-06 09:06:36 -04:00
shashank-elastic	d8969f8df1	RTA For Linux DR and ER Rules (#2904 )	2023-07-04 18:46:28 +05:30
Ruben Groenewoud	78055bbeee	[New Rule] Suspicious Proc Enumeration (#2845 ) * [New Rule] Suspicious Proc Enumeration * Update rules/linux/discovery_suspicious_proc_enumeration.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/discovery_suspicious_proc_enumeration.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * fix tags --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>	2023-07-04 11:34:56 +02:00
Eric	df0a1facd1	[WMI Incoming Lateral Movement] Modify Existing Query Exception (#2843 ) * Tune WMI Incoming Lateral Movement * Tune WMI Incoming Lateral Movement * Bump updated_date --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-07-03 17:12:05 -04:00
Eric	f78de8c9d4	Add MS Office exceptions to query (#2836 ) Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-07-03 16:09:17 -04:00
Ruben Groenewoud	7a1f376a34	[New Rules] Conversion of deprecated ERs over to DRs (#2877 ) * [Conversion] Data Encrypted via OpenSSL * [Conversion] sus funzip extraction/decompression * [Conversion] LD_PRELOAD env var process injection * fix unit testing failure * suspecting endgame incompatibility * fixed typo * added LD_LIBRARY_PATH * Update defense_evasion_ld_preload_env_variable_process_injection.toml * Update defense_evasion_ld_preload_env_variable_process_injection.toml * Added exclusions for FPs * Update rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_data_encrypted_via_openssl.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-07-02 10:39:44 +02:00
Eric	35ea2727dc	[Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades (#2850 )	2023-06-30 18:01:35 -04:00

1 2 3 4 5 ...

1586 Commits