b8bb2da932
[New Rule] Potential Privilege Escalation via OverlayFS ( #2974 )
...
* [New Rule] Privilege Escalation via OverlayFS
* Layout change
* Revert "[New Rule] Privilege Escalation via OverlayFS"
This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26.
* Made rule broader
* Update privilege_escalation_overlayfs_local_privesc.toml
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml
* Update user.id to strings
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-07-31 19:15:11 +02:00
1e769c51b6
Tune Unusual File Activity ADS for Teams weblogs ( #2929 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-31 10:41:31 -03:00
9387a081bc
[Security Content] Add Investigation Guides to Threat Intel rules ( #2827 )
...
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules
* .
* Update threat_intel_indicator_match_hash.toml
* Update to include expiring rules, exclude expiring indexes
* .
* Apply suggestions from code review
* Push changes
* Update pyproject.toml
* Revert "Update pyproject.toml"
This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.
* Update pyproject.toml
* Update integration-schemas.json.gz
* Revert "Update integration-schemas.json.gz"
This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.
* Revert integrations-manifests to the one from main
* Fix maturity
* Update Name
* Update ignore_ids with the indicator rules guid
* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml
* Make changes to use labels
* Update non-ecs-schema.json
* Update rules/cross-platform/threat_intel_fleet_integrations.toml
* Apply suggestions from code review
* Backport to 8.5
* [Security Content] Add Investigation Guides to Threat Intel rules
* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators
* Update threat_intel_indicator_match_hash.toml
* Update threat_intel_indicator_match_url.toml
* Update threat_intel_indicator_match_url.toml
* Apply suggestions from review, adds Setup guide
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
2023-07-27 11:30:14 -03:00
bbb24704b6
[New Rule] PE through Writable Docker Socket ( #2958 )
...
* [New Rule] PE through Writable Docker Socket
* simplified query
* Update privilege_escalation_writable_docker_socket.toml
* Update privilege_escalation_writable_docker_socket.toml
* Update rules/linux/privilege_escalation_writable_docker_socket.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-27 10:01:29 +02:00
0666b594c6
[New Rule] Linux Local Account Brute Force ( #2965 )
2023-07-27 09:43:53 +02:00
0ff50acfd2
[Rule Tuning] Tune Threat Indicator Match Rules ( #2957 )
...
* [Rule Tuning] Tune Threat Indicator Match Rules
* Update threat_intel_indicator_match_url.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-26 15:12:28 -03:00
b330cf9438
[New Rule] Pspy Process Monitoring Detected ( #2945 )
...
* [New Rule] Pspy Process Monitoring Detected
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_pspy_process_monitoring_detected.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 15:58:33 +02:00
6527eb0500
Rule Tuning File Permission Modification in Writable Directory ( #2961 )
2023-07-26 17:47:00 +05:30
d0d99829a2
Correct misspelling of AppDara to AppData ( #2952 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 08:10:03 -03:00
056db6003e
[Security Content] Added Compatibility note to all IGs ( #2943 )
...
* added investigation guide note
* added ig notes
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* implemented note feedback
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-26 12:54:50 +02:00
dbd7ed65a9
[Tuning] Reverse Shell Rules ( #2959 )
...
* [Rule Tuning] Reverse Shell Rule destination.ip tuning
* Updated updated_date
2023-07-25 14:55:56 +02:00
8de2684498
[Security Content] Add Investigation Guides to Linux DRs 8.9 ( #2868 )
...
* [Investigation Guide] 10 new Linux IG's 8.9
* Added 4 more IG tags
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Update rules/linux/persistence_message_of_the_day_execution.toml
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_init_d_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_shell_activity_via_web_server.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_systemd_scheduled_timer_created.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* implemented feedback
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-19 17:13:24 +02:00
97d429e314
[New] Suspicious Microsoft 365 Mail Access by ClientAppId ( #2933 )
...
* [New] Suspicious Microsoft 365 Mail Access by ClientAppId
Using New Term rule type identifies when a Microsoft 365 Mailbox is accessed by a ClientAppId that was observed for the fist time during the last 10 days.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a
https://www.elastic.co/guide/en/beats/filebeat/current/exported-fields-o365.html
* Update initial_access_microsoft_365_abnormal_clientappid.toml
* Update initial_access_microsoft_365_abnormal_clientappid.toml
2023-07-19 16:05:13 +01:00
5e714e01e6
[Security Content] Add Windows Investigation Guides ( #2825 )
...
* [Security Content] Add Windows Investigation Guides
* Apply suggestions from code review
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
* Add IG Tag
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Joe Peeples <joe.peeples@elastic.co >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-19 08:07:01 -03:00
d1491c3ce1
[Rule Tuning] Threat Intel URL Indicator Match ( #2902 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-07-18 20:21:15 -03:00
f1ba092864
[Deprecation] Threat Intel Indicator Match - General Rules ( #2901 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-18 20:12:53 -03:00
23a133121d
[Rule Tuning] Add HackTool Keywords to PowerShell Rules ( #2932 )
2023-07-18 08:55:59 -03:00
80e2b699b6
[New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container ( #2837 )
...
* [New Rule] Modification of Dynamic Linker Preload Shared Object Inside A Container
new rule
* removed priv_esc tag
removed priv_esc tag
* adjusted tags
adjusted tags
* updated tags
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 15:03:24 -04:00
db90345fd5
[Rule Tuning] Kubernetes Anonymous Request Authorized ( #2865 )
...
* rule tuning for exclusions
* optimized query
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 13:03:05 -04:00
0b64638bf7
[New Rule] AWS Credentials Searched For Inside a Container ( #2887 )
...
* new rule toml
* Updated query
updated query based on review and added additional search queries
* updated rule query based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 12:29:02 -04:00
0f5b5a3551
[Rule Tuning] Add Okta Investigation Guides Part 1 ( #2899 )
...
* adding investigation guides for Okta rules
* Update rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* added MFA to investigation guide for brute forcing
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-07-17 11:47:02 -04:00
fca8bcc071
[Rule Tuning] PowerShell Rule Tunings ( #2907 )
...
* [Rule Tuning] PowerShell Rule Tunings
* bump
2023-07-14 15:41:36 -03:00
3ed8c56942
DR Linux Rule Tuning 8.9 ( #2859 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-07-10 20:02:42 +05:30
1283a21fb7
[New Rules] Potential portscan detected ( #2817 )
...
* [New Rules] Potential portscan detected
* Updated descriptions
* Update rules/network/discovery_potential_syn_port_scan_detected.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/network/discovery_potential_network_sweep_detected.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/network/discovery_potential_port_scan_detected.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* updating integration manifests and schemas
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-07-09 09:49:32 +02:00
e5d6d6e4a7
[New Rule] sus cmds executed by unknown executable ( #2858 )
...
* [New Rule] sus cmds executed by unknown executable
* added an event.action filter
* Added endgame support, fixed stack version comment
* Update execution_suspicious_executable_running_system_commands.toml
* Update rules/linux/execution_suspicious_executable_running_system_commands.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_suspicious_executable_running_system_commands.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-06 17:32:56 +02:00
4e0b7427b7
[New Rules] ftp/rdp bruteforce ( #2910 )
...
* [New Rules] ftp/rdp bruteforce
* Update credential_access_potential_successful_linux_ftp_bruteforce.toml
* Update credential_access_potential_successful_linux_rdp_bruteforce.toml
* Update non-ecs-schema.json
* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-07-06 17:16:01 +02:00
d5dee5a6c8
[New Rules] sysctl and modprobe enumeration ( #2844 )
...
* [New Rules] sysctl and modprobe enumeration
* Update discovery_linux_modprobe_enumeration.toml
* Update discovery_linux_sysctl_enumeration.toml
* reverted manifest/schema update
* updated tags
* Update discovery_linux_modprobe_enumeration.toml
2023-07-06 16:46:54 +02:00
cd7a52f1b1
[Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release ( #2895 )
...
* forking rules with version collisions
* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml
* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml
* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml
* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
2023-07-06 10:39:20 -04:00
64b3fa8d1d
[New Rule] Kernel Load/Unload via Kexec Detected ( #2846 )
...
* [New Rule] Kernel Load/Unload via Kexec
* Added additional references
* changed rule name
* changed the query to be more precise
* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* changed description based on feedback
* Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-07-06 16:03:27 +02:00
646c316b66
[New Rules] Linux Reverse Shells ( #2905 )
...
* [New Rules] Linux Reverse Shells
* [New Rules] Linux Reverse Shells
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_java_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Delete UDP rule to add in separate PR
* Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Deleted one rule and tuned the others
* Improved the rules' performance
* Added the reverse_tcp rule back after tuning
* Update execution_shell_via_lolbin_interpreter_linux.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-07-06 15:27:57 +02:00
78055bbeee
[New Rule] Suspicious Proc Enumeration ( #2845 )
...
* [New Rule] Suspicious Proc Enumeration
* Update rules/linux/discovery_suspicious_proc_enumeration.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/discovery_suspicious_proc_enumeration.toml
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
* fix tags
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com >
2023-07-04 11:34:56 +02:00
df0a1facd1
[WMI Incoming Lateral Movement] Modify Existing Query Exception ( #2843 )
...
* Tune WMI Incoming Lateral Movement
* Tune WMI Incoming Lateral Movement
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-03 17:12:05 -04:00
f78de8c9d4
Add MS Office exceptions to query ( #2836 )
...
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-07-03 16:09:17 -04:00
7a1f376a34
[New Rules] Conversion of deprecated ERs over to DRs ( #2877 )
...
* [Conversion] Data Encrypted via OpenSSL
* [Conversion] sus funzip extraction/decompression
* [Conversion] LD_PRELOAD env var process injection
* fix unit testing failure
* suspecting endgame incompatibility
* fixed typo
* added LD_LIBRARY_PATH
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* Added exclusions for FPs
* Update rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/linux/impact_data_encrypted_via_openssl.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-07-02 10:39:44 +02:00
35ea2727dc
[Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades ( #2850 )
2023-06-30 18:01:35 -04:00
7aa8a7b5fb
[Rules Tuning] diverse tuning ( #2506 )
...
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update credential_access_saved_creds_vault_winlog.toml
* Update lateral_movement_remote_services.toml
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_rdp_enabled_registry.toml
* Update persistence_scheduled_task_updated.toml
* Update persistence_scheduled_task_updated.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update privilege_escalation_persistence_phantom_dll.toml
* Update rules/windows/persistence_scheduled_task_updated.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 18:57:00 +01:00
d5dddae0ef
[Rule Tuning] Suspicious PowerShell Engine ImageLoad ( #2721 )
...
* [Rule Tuning] Suspicious PowerShell Engine ImageLoad
* Update rules/windows/execution_suspicious_powershell_imgload.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-06-30 10:56:13 -03:00
2a4749d3d0
[New Rule] New Term Rule for USB Devices ( #2644 )
...
* Create
* Update initial_access_first_time_seen_usb_name.toml
* Update rules/windows/initial_access_first_time_seen_usb_name.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/initial_access_first_time_seen_usb_name.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update initial_access_first_time_seen_usb_name.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-30 10:41:38 -03:00
9794f8f0af
[New Rule] Postgresql Code Execution ( #2863 )
...
* [New Rule] Postgresql Code Execution
* Update rules/linux/execution_remote_code_execution_via_postgresql.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update execution_remote_code_execution_via_postgresql.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-30 13:17:24 +02:00
a7e605a0e5
[Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 ( #2889 )
...
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823
* Add exception to unit test
* fixed linting
* proper linting fix
* updated to add to definitions.py
* fix linting
---------
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
2023-06-28 15:55:43 -03:00
8703c65f87
[Tuning] Azure Network Packet Capture Detected ( #2888 )
2023-06-28 16:32:56 +02:00
90c79a8283
[Proposal] Break Threat Intel Indicator Match rules into Indicator-type rules ( #2777 )
...
* [Proposal] [DRAFT] Break Threat Intel Indicator Match rules into Indicator-type rules
* .
* Update threat_intel_indicator_match_hash.toml
* Update to include expiring rules, exclude expiring indexes
* .
* Apply suggestions from code review
* Push changes
* Update pyproject.toml
* Revert "Update pyproject.toml"
This reverts commit 17cfafbd96f337df756d87909d2478545ac9efe7.
* Update pyproject.toml
* Update integration-schemas.json.gz
* Revert "Update integration-schemas.json.gz"
This reverts commit 7dc19b7ccbf41f34b94d02b0ed702bd83df82f9d.
* Revert integrations-manifests to the one from main
* Fix maturity
* Update Name
* Update ignore_ids with the indicator rules guid
* Update rules/cross-platform/threat_intel_indicator_match_registry_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_address_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_hash_expiring.toml
* Update rules/cross-platform/threat_intel_indicator_match_url_expiring.toml
* Make changes to use labels
* Update non-ecs-schema.json
* Update rules/cross-platform/threat_intel_fleet_integrations.toml
* Apply suggestions from code review
* Backport to 8.5
* Fix Rule threat filters, add tags, and compatibility with process and dll fields for hash indicators
* Update threat_intel_indicator_match_hash.toml
* Update threat_intel_indicator_match_url.toml
* Update threat_intel_indicator_match_url.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-28 10:22:24 -03:00
48cf95c8eb
[Rule Tuning] Change Network Rules to Use Network Packet Capture Integration ( #2665 )
...
* updated indexes and updated dates
* added network_traffic integration tag to rules
* reverting changes to resolve conflicts
* metadata changes; indexes changed; schemas and manifest updated
* updated default telnet port connection rule
* updating integration manifests
* adjusted rules; updated integrations; deduplicate packages
2023-06-26 17:35:49 -04:00
aaa4ce2ea0
[BUG] test_all_rule_queries_optimized does not run on rules ( #2823 )
...
* Fixed kql -> kuery in test_all_rule_queries_opt...
* all queries optimized
* manually reconciled all rules that failed due to toml escaped chars
* merge rules from main
* Rules needing optimization
* Fix optimized note
* fix another note
* another note fix
* fixing whitespace
* Updated for readability
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-23 10:58:31 -04:00
d829b145ef
[Bug] Fix Tag Navigator Generation ( #2875 )
...
* bug fix for tag navigator generation
* addressing flake errors
* added unit test to ensure prefix exists
* updated unit test case sensitivity
* moved expected tags to definitions.py
* removed expected prefixes
* revert downloadable updates JSON file
2023-06-23 10:44:55 -04:00
b4c84e8a40
[Security Content] Tags Reform ( #2725 )
...
* Update Tags
* Bump updated date separately to be easy to revert if needed
* Update resource_development_ml_linux_anomalous_compiler_activity.toml
* Apply changes from the discussion
* Update persistence_init_d_file_creation.toml
* Update defense_evasion_timestomp_sysmon.toml
* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml
* Update missing Tactic tags
* Update unit tests to match new tags
* Add missing IG tags
* Delete okta_threat_detected_by_okta_threatinsight.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update persistence_rc_script_creation.toml
* Mass bump
* Update persistence_shell_activity_by_web_server.toml
* .
---------
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-06-22 18:38:56 -03:00
7d758fdacd
[New Rule] Potential Malicious File Downloaded from Google Drive ( #2862 )
...
* new rule for malicious files downloaded from Google Drive
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
* removed unecessary tags
* removed extra space
* updated false positives
* fix unit testing failure
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* removed note field
* added cmd.exe
* updated updated_dated
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* removed LoLBins to capture unknown binaries involved
* removed code signature requirements
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/cross-platform/command_and_control_google_drive_malicious_file_download.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-06-22 14:10:14 -04:00
7c5f17e30c
[New Rules] User / Group Creation & Privileged Group Addition ( #2546 )
...
* [New Rules] user/group creation
* Update rules/linux/persistence_linux_group_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added backdoor user account
* added host.os.type == linux for unit testing fix
* unit testing fixes
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Added OSQuery to Investigation Guides
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* removed investigation guides to add in future PR
* Fixed some issues with the rules
* fixed typo
* Update rules/linux/persistence_linux_backdoor_user_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_account_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_user_added_to_privileged_group.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/persistence_linux_group_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-22 15:15:48 +02:00
71186c8788
[Rule Tuning] Potential Persistence Through Run Control Detected ( #2857 )
...
* [Rule Tuning] changed rule type to new_terms
* Updated min stack comment
* Update persistence_rc_script_creation.toml
* Changed description, removed file.path from new_terms field because it is not necessary
* added host.id to new terms field and bumped up min stack
2023-06-22 13:39:36 +02:00
7d64dc2a87
[Rule tunings / New Rule] Kernel Unload and Enumeration ( #2838 )
...
* [Rule Tunings] Kernel Module Enumeration / Removal
* [Rule Tunings] Kernel Module Enumeration and Removal
* Deleted copy of wrong file
* EQL Conversion and made the rule more resilient
* Converted rules to EQL and made rules more resilient
* Removed unwanted rule from PR
* fixed unit tests
* fixed unit testing, removed endgame support
* Added a rule to detect kernel module enum via proc
* Did some additional tuning, 0 hits in RedSector now
2023-06-22 10:11:52 +02:00
Ruben Groenewoud