eafe54c2cc
[Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot ( #2691 )
2023-04-05 13:28:57 -03:00
5aaac84f3a
[Rule Tuning] Suspicious service was installed in the system ( #2693 )
...
* [Rule Tuning] Suspicious service was installed in the system
* Update persistence_service_windows_service_winlog.toml
2023-04-05 13:23:47 -03:00
0c8d0bfd3d
[New Rule] Suspicious Execution via Microsoft Office Add-Ins ( #2651 )
...
* Create
* Update initial_access_execution_via_office_addins.toml
* Update initial_access_execution_via_office_addins.toml
* Update initial_access_execution_via_office_addins.toml
* Update rules/windows/initial_access_execution_via_office_addins.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-04-05 17:02:04 +01:00
e878f4b820
adding fix for unit testing that broke in 8.3 ( #2683 )
2023-04-03 10:11:26 -04:00
71d12bdda4
[Bug] Unit Tests Passing for Rules with Integrations Not Reflected in Manifests ( #2682 )
...
* add promotion to rulemeta schema class and updated promotion rules
* add promotion to rulemeta schema class and updated promotion rules
* adjusted test_integration_tag and okta rule missing dataset
* fixed flake errors
* updated manifests and schemas to include cloud defend
2023-04-03 09:42:40 -04:00
51d50b7d8a
[New Rule] Lsass Process Access - Generic ( #2613 )
...
* Create credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-04-03 14:34:30 +01:00
9713384888
Add Rule Id and Rule Name to the RTA Test List Function ( #2680 )
2023-03-31 16:08:42 -04:00
94621d7567
Update layer version to 4.4 ( #2676 )
2023-03-30 12:29:17 -04:00
892757f4a4
[New Rule] Potential Pass The Hash ( #2670 )
...
* Create lateral_movement_alternate_creds_pth.toml
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-29 19:37:27 +01:00
5ed2120e3f
[Rule Tuning] Potential Credential Access via Windows Utilities ( #2659 )
...
* [Rule Tuning] Potential Credential Access via Windows Utilities
* Update credential_access_cmdline_dump_tool.toml
2023-03-29 09:32:36 -03:00
411ec36ff0
Validate markdown plugin fields ( #2602 )
2023-03-28 09:17:50 -04:00
7e28b8fc50
[FR] Support Rule Alert Suppression in Rule Schema ( #2660 )
...
* adding initial solution for alert suppression support in rule schema
* reverting rule changes
* fixing flake errors
* reverting rule changes
* adding unit tests
* addressing flake errors
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/schemas/definitions.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* adjusting rule.py after commits
* adjusted test_group_field_in_schemas to check integrations
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update detection_rules/rule.py
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* nested AlertSuppressDuration class under mapping class
* adjusted dataclass naming
* added unit test to ensure rule is KQL
* fixing flake errors
* added docstrings
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-03-27 15:37:35 -04:00
192047f46d
[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell ( #2663 )
2023-03-27 11:50:53 -03:00
3bfe3060a2
[Rule Tuning] Uncommon Registry Persistence Change ( #2538 )
...
* [Rule Tuning] Uncommon Registry Persistence Change
* updated updated_date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-26 00:35:23 +01:00
11d79912f1
[FR] Add new macOS RTAs for Endpoint Rules - 2 ( #2661 )
2023-03-24 17:29:22 -04:00
62ec0ae086
[FR] Add new macOS RTAs for Endpoint Rules ( #2632 )
2023-03-24 16:53:37 -04:00
76500f0d46
[New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User ( #2654 )
...
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'
* updated MITRE ATT&CK mappings
2023-03-24 12:21:56 -04:00
fd0d7a1d00
[RTA] Adds RTAs to Windows Rules - 2 ( #2628 )
...
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-24 10:13:12 -03:00
95b8b1688b
[RTA] Add RTAs for Endpoint Rules - 2 ( #2633 )
...
* [RTA] Add RTAs for Endpoint Rules - 2
* Update exec_conhost_indirect.py
* Update msoffice_file_dll_sideload.py
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-24 09:55:32 -03:00
5c792b86d7
[RTA] Adds RTAs for endpoint rules ( #2621 )
...
* [RTA] Adds RTAs for endpoint rules
* Update exec_cscript_archive_args.py
* Review RTAs 1/2
* Update suspicious_msiexec_child.py
* Update rta/exec_cscript_archive_args.py
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-23 18:14:06 -03:00
32ca0001ff
[Rule Tuning] Untrusted Driver Loaded ( #2656 )
2023-03-23 08:26:52 -03:00
0d1fca454a
New Rule: Suspicious Mining Process Creation Event ( #2531 )
...
* New Rule: Suspicious Mining Process Creation Event
* added host.os.type==linux
* trying to fix unit testing
* Revert "trying to fix unit testing"
This reverts commit ab3f371300fa400baa287b54e5f38b4855fc6512.
* unit testing fix attempt
* Revert "unit testing fix attempt"
This reverts commit 8b59343a5923a004423cf665b167611ef0129a9d.
* added endgame support
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-21 16:35:25 +01:00
7be5788945
[New Rule] Google Workspace Resource Copied from External Drive ( #2627 )
...
* added new rule 'Google Workspace Resource Copied from External Drive'
* adjusted mitre att&ck subtechnique ID
2023-03-20 14:37:58 -04:00
2c5470349c
[New Rule] External User Added to Private Organization Group ( #2577 )
...
* new rule 'External User Added to Google Workspace Group'
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added Investigation Guide tag
---------
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-20 14:32:42 -04:00
f41c5288cc
[RTA] New RTAs for Windows Rules ( #2426 )
...
* Part 1
* Part 2
* Part3
* Part4
* Final Part
* Dedup RTA where Office app loads wmiutils
* Add techniques
* Remove helper
* Update exec_cmd_set_mppreference.py
2023-03-20 07:56:51 -03:00
eab30d7456
[Rule Tuning] Namespace Manipulation Using Unshare ( #2599 )
...
* [Rule Tuning] Namespace Manipulation Using Unshare
* reverted updated_date change
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-20 07:36:47 -03:00
f40ad93224
[Bug] Failed CI Unit Tests from Marshmallow Dataclass and Typing Updates ( #2645 )
2023-03-17 16:38:35 -04:00
672211500c
[Rule Fix] Privileged SSH Brute Force Detected ( #2595 )
2023-03-14 15:42:58 -04:00
f52a744259
[New Rule] RC Script Creation ( #2607 )
...
* [New Rule] RC Script Creation
* fixed unit testing error
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.os.type==linux
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-14 15:03:41 -04:00
295fc323a1
[Rule Tunings] System Time & Service Discovery ( #2589 )
...
* [Rule Tuning] System Time Discovery
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-14 14:43:21 -04:00
1a5bc7e924
[Rule Tuning] Abnormal PID or Lock File Created ( #2600 )
2023-03-14 14:37:00 -04:00
87c66f923e
Update commit-and-push.sh ( #2640 )
2023-03-09 17:31:19 -05:00
40eff15fbe
Update manual-backport.yml ( #2639 )
2023-03-09 14:42:09 -07:00
0a637a3d86
Update manual-backport.yml ( #2638 )
2023-03-09 14:09:59 -07:00
2b7d249125
Update manual-backport.yml ( #2637 )
2023-03-09 15:31:44 -05:00
73555c737d
Update manual-backport.yml ( #2636 )
2023-03-09 15:11:07 -05:00
41ca459532
Update manual-backport.yml ( #2635 )
2023-03-09 14:15:12 -05:00
9cb7123a72
[FR] Add enhancements to release-fleet workflow ( #2612 )
...
* added commit hash option
* adjusted commit hash if expression
* add step to retrieve latest locked versions commit; set default
* added change directory to lock versions retrieval
* added echo output
* removed attempt to dynamically pull commit
* added create release tag
* added capability to dynamically create release tag
* adjusted version parsing and reference
* fixed misspelling for packages.yml file
* adjusted the regex pattern for release tag
* added another job to check commit hash
* removed set env variable in check-commit job
* adjusted check commit hash steps
* fixed job references
* adjusted job references for fleet-pr
* checking inverse if statement for second job
* changed how check message is stored
* reverting change for job check
* adjusted check commit step
* adjusted if statement in check_commit step
* added default value for check_commit variable
* removed unecessary step in check-commit job
* added else statement to github actions
* changed output name
* set default output
* testing without if statement
* testing without grep statement
* added environment variable
* testing commit message variable
* changing condition statement
* trying to call environment variable differently
* added more steps to abstract functionality
* reverted changes
* removed bug
2023-03-08 17:34:31 -05:00
00102812b4
[Tweak] Use global constants to speed up tests ( #2629 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2023-03-07 19:19:59 -09:00
181b56c636
[Rule Tuning] Process Created with an Elevated Token (TiWorker.exe) ( #2622 )
2023-03-07 19:57:34 -05:00
cd6a5983c6
Speed up unit tests ( #2626 )
...
* cache rule loader; skip rule tests on RL failure
-------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2023-03-07 16:40:41 -07:00
38b8311482
[Security Content] Expand Abbreviated Tags ( #2414 )
...
* [Security Content] Expand Abbreviated Tags
* .
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Revert changes to deprecated rules
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-03-06 17:37:52 -03:00
0273d118a6
[Rule Tuning] Add endgame support for Windows Rules ( #2428 )
...
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* 1/2
* bump updated_date
* 2/3
* Finale
* Update persistence_evasion_registry_ifeo_injection.toml
* .
* Multiple fixes
* Missing index
* Missing AND
2023-03-06 12:47:11 -03:00
114d6e600d
[Test] Restrict host.os.type unit test to 8.3+ ( #2615 )
...
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2023-03-05 12:01:43 -07:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
a71620a99b
[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell ( #2614 )
2023-03-05 14:59:17 -03:00
bb4f7acf27
deprecate 'Google Workspace User Group Access Modified to Allow External Access' ( #2576 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-02 11:29:14 -05:00
46b18b5a07
[New Rule] Google Workspace - Suspended User Account Renewed ( #2592 )
...
* new rule for suspended user account renewal in Google Workspace
* fixed risk score; toml linted
* Update rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-03-02 11:23:49 -05:00
2605a341a9
Include base rule fields in enriched indexes ( #2547 )
2023-03-02 08:30:55 -07:00
1a4510c9d4
[Security Content] Add Investigation Guides to Windows Rules - 2 ( #2534 )
...
* [Security Content] Add Investigation Guides to Windows Rules - 2
* tags
* Adjust some phrasing based on the review
* Update credential_access_bruteforce_admin_account.toml
* Missing Osquery Note
* Missing note
2023-03-01 21:23:09 -03:00
Jonhnathan