56e61a6321
[New Rule] Potential Hex Payload Execution ( #4241 )
...
* [New Rule] Potential Hex Payload Execution
* Update rules/linux/defense_evasion_hex_payload_execution.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 19:15:17 +01:00
54bb319f7b
[New Rule] Memory Swap Modification ( #4239 )
...
* [New Rule] Memory Swap Modification
* Update rules/linux/impact_memory_swap_modification.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 19:06:55 +01:00
3207ca37e4
[New Rule] Unusual Interactive Shell Launched from System User ( #4238 )
...
* [New Rule] Unusual Interactive Shell Launched from System User
* Update defense_evasion_interactive_shell_from_system_user.toml
* Update defense_evasion_interactive_shell_from_system_user.toml
* Update rules/linux/defense_evasion_interactive_shell_from_system_user.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 18:24:30 +01:00
267a6b6fa6
[New Rule] Web Server Spawned via Python ( #4236 )
...
* [New Rule] Web Server Spawned via Python
* Update execution_python_webserver_spawned.toml
* Update rules/linux/execution_python_webserver_spawned.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_python_webserver_spawned.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 18:16:19 +01:00
83f31e1640
[New Rule] Directory Creation in /bin directory ( #4227 )
...
* [New Rule] Directory Creation in /bin directory
* Description fix
* Update rules/linux/defense_evasion_directory_creation_in_bin.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 18:07:06 +01:00
6040b6aee4
[New Rule] Hidden Directory Creation via Unusual Parent ( #4226 )
...
* [New Rule] Hidden Directory Creation via Unusual Parent
* Update rules/linux/defense_evasion_hidden_directory_creation.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 17:58:13 +01:00
43148a72f4
[New Rule] Security File Access via Common Utilities ( #4243 )
...
* [New Rule] Security File Access via Common Utilities
* [New Rule] Security File Access via Common Utilities
* Update discovery_security_file_access_via_common_utility.toml
2024-11-08 17:41:33 +01:00
f89e245e29
[New Rule] Potential Data Splitting Detected ( #4235 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 17:32:59 +01:00
3e268282d1
[New Rule] Private Key Searching Activity ( #4242 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 17:13:55 +01:00
40118186fb
[New Rule] IPv4/IPv6 Forwarding Activity ( #4240 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 17:06:07 +01:00
993c60decb
[New Rule] Curl SOCKS Proxy Activity from Unusual Parent ( #4237 )
...
* [New Rule] Curl SOCKS Proxy Activity from Unusual Parent
* OS Type update
* Update rules/linux/command_and_control_curl_socks_proxy_detected.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-11-08 16:51:18 +01:00
d2502c7394
Prep for Release 8.17 ( #4256 )
2024-11-07 23:53:04 +05:30
9e4fce6586
[Rule Tuning] Potential Linux Hack Tool Launched ( #4191 )
2024-10-25 17:23:48 +02:00
b0bba39007
[Rule Tuning] Linux User Added to Privileged Group ( #4206 )
2024-10-25 14:21:20 +02:00
d0225c37df
[Rule Tuning] Tuning 'Unusual Instance Metadata Service (IMDS) API Request' ( #4169 )
...
* tuning 'Unusual Instance Metadata Service (IMDS) API Request'
* added missing bracket
* linted
* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
* removed intelephense whitelisting
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-10-18 11:50:57 -04:00
42f6c8f9a5
[Rule Tuning] Q2 Linux DR Tuning - Part 4 ( #4165 )
2024-10-18 17:13:44 +02:00
b309bcb7ae
[Rule Tuning] Q2 Linux DR Tuning - Part 5 ( #4166 )
...
* [Rule Tuning] Q2 Linux DR Tuning - Part 5
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_rpm_package_installation_from_unusual_parent.toml
2024-10-18 17:02:26 +02:00
601254488b
[BBR Promotion] Q2 Linux BBR Promotion ( #4172 )
...
* [BBR Promotion] Q2 Linux BBR Promotion
* Update collection_linux_clipboard_activity.toml
* Update defense_evasion_creation_of_hidden_files_directories.toml
2024-10-18 16:55:09 +02:00
ac6a49eeea
[Rule Tuning] Q2 Linux DR Tuning - Part 6 ( #4167 )
2024-10-18 16:25:54 +02:00
39fc23cb3d
[Rule Tuning] Q2 Linux DR Tuning - Part 3 ( #4164 )
...
* [Rule Tuning] Q2 Linux DR Tuning - Part 3
* Update execution_suspicious_executable_running_system_commands.toml
2024-10-18 16:18:14 +02:00
3982228132
[Rule Tuning] Q2 Linux DR Tuning - Part 2 ( #4163 )
2024-10-18 16:07:09 +02:00
af9f9e2456
[Rule Tuning] Q2 Linux DR Tuning - Part 1 ( #4162 )
...
* [Rule Tuning] Q2 Linux DR Tuning - Part 1
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
2024-10-18 15:59:51 +02:00
5b41bbd5e9
[Tuning] Updated references ( #4114 )
2024-10-01 08:43:14 -03:00
a3e89a7fab
[New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE) ( #4106 )
...
* [New Rules] CVE-2024-x.x.x.x.x (CUPS/Foomatic-RIP RCE)
* Description update
* Investigation Guide Update
2024-09-27 14:48:03 +02:00
b80d8342d6
[Docs | Rule Tuning] Add blog references to rules ( #4097 )
...
* [Docs | Rule Tuning] Add blog references to rules
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from code review
* Update google_workspace blog references
* add okta blog references
* Update dates
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-25 15:19:20 -05:00
e30dc312e4
[Tuning] Potential Execution via XZBackdoor ( #4053 )
...
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
* Update persistence_suspicious_ssh_execution_xzbackdoor.toml
2024-09-05 20:13:32 +01:00
be611be8b3
[New Rule] Instance Metadata Service (IMDS) API Requests - Linux ( #4005 )
...
* new rule metadata API requests
* updated description and name
* added Ipv6
* adjusted query
* rule name fix
* changed to EQL; added discovery tactic
* removed timestamp override
* adding host.os.type
* adjusted description
* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/linux/credential_access_unusual_instance_metadata_service_api_request.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* adjusted query
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-09-05 10:08:32 -04:00
9f964b68a4
[New Rule] Root Certificate Installation ( #4025 )
...
* [New Rule] Root Certificate Installation
* Update defense_evasion_root_certificate_installation.toml
* Update rules/linux/defense_evasion_root_certificate_installation.toml
2024-09-03 17:40:17 +02:00
b3a75899d5
[New Rule] SELinux Configuration Creation or Modification ( #4024 )
...
* [New Rule] SELinux Configuration Creation or Modification
* Update rules/linux/defense_evasion_selinux_configuration_creation_modification.toml
* Rename defense_evasion_selinux_configuration_creation_modification.toml to defense_evasion_selinux_configuration_creation_or_renaming.toml
* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
* Update rules/linux/defense_evasion_selinux_configuration_creation_or_renaming.toml
2024-09-01 10:14:59 +02:00
fb07033159
[New Rule] Attempt to Disable Auditd Service ( #4028 )
...
* [New Rule] Attempt to Disable Auditd Service
* Update defense_evasion_attempt_to_disable_auditd_service.toml
* Update rules/linux/defense_evasion_attempt_to_disable_auditd_service.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-09-01 09:51:13 +02:00
30cd1b6a00
[New Rule] Potential Defense Evasion via Doas ( #4027 )
...
* [New Rule] Potential Defense Evasion via Doas
* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml
* Update rules/linux/defense_evasion_doas_configuration_creation_or_modification.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Rename defense_evasion_doas_configuration_creation_or_modification.toml to defense_evasion_doas_configuration_creation_or_rename.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-08-29 21:19:13 +02:00
19b4a4d7dd
[New Rule] SSL Certificate Deletion ( #4026 )
...
* [New Rule] SSL Certificate Deletion
* Update defense_evasion_ssl_certificate_deletion.toml
* Update rules/linux/defense_evasion_ssl_certificate_deletion.toml
2024-08-29 21:10:59 +02:00
6aaccc64a6
[New Rule] AWS CLI Command with Custom Endpoint URL ( #4002 )
...
* new rule AWS CLI COmmand with Custom Endpoint URL
* fixed query
* added host os type
* added timestamp override
2024-08-28 09:58:08 -04:00
162a48c97f
[New Rule] Openssl Client or Server Activity ( #3930 )
...
* [New Rule] Openssl Client or Server Activity
* Endgame support
* Added one exclusion
* Update execution_shell_openssl_client_or_server.toml
* Update execution_shell_openssl_client_or_server.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-08-22 16:53:31 +02:00
c58ae92dd1
[New Rule] Dynamic Linker Creation or Modification ( #3969 )
...
* [New Rule] Dynamic Linker Creation or Modification
* Removed new line from description
* Update rules/linux/defense_evasion_dynamic_linker_file_creation.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update defense_evasion_dynamic_linker_file_creation.toml
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 10:25:55 +02:00
55e81c1169
[Rule Tuning] Attempt to Disable IPTables or Firewall ( #3972 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 10:18:11 +02:00
b6ffb10ab2
[Rule Tuning] System Log File Deletion ( #3970 )
2024-08-10 10:04:56 +02:00
6e3e5f6373
[Rule Tuning] Potential Disabling of AppArmor ( #3971 )
...
* [Rule Tuning] Potential Disabling of AppArmor
* Update query
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-10 09:51:45 +02:00
93d928625d
[Tuning] Executable Bit Set for Potential Persistence Script ( #3929 )
2024-08-02 21:13:19 +02:00
485312d5f2
[Rule Tuning] System Binary Moved or Copied ( #3933 )
2024-08-01 18:47:58 +02:00
134b842361
[Rule Tuning] Removed Endgame from Incompatible Rules ( #3931 )
...
* [Rule Tuning] Removed Endgame from Incompatible Rules
* ++
2024-07-31 09:26:38 +02:00
f3b0dc1954
Prep for next release 8.16 ( #3919 )
2024-07-24 11:19:56 -04:00
baee89de9b
Revert "Prep for next release 8.16 ( #3914 )"
...
This reverts commit 4245a815d2
2024-07-23 14:06:04 -04:00
4245a815d2
Prep for next release 8.16 ( #3914 )
...
* Prep for Release 8.16
* Add subscription
* Remove double subscription
* Formatting
* Formatting
* Revert Beaconing rules minstack and lock version
2024-07-23 13:04:03 -04:00
03c99d22d3
Revert "Prep for Release 8.16 ( #3913 )"
...
This reverts commit 01135085f6
2024-07-23 09:50:04 -05:00
01135085f6
Prep for Release 8.16 ( #3913 )
2024-07-23 09:42:26 -05:00
a71bbe0cf8
[Rule Tuning] Misc. DR Rule Tuning - Part 2 ( #3905 )
...
* [Rule Tuning] Misc. DR Rule Tuning - Part 2
* ++
* Update privilege_escalation_suspicious_uid_guid_elevation.toml
* Update rules/linux/persistence_systemd_service_creation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-19 15:21:35 +02:00
76fdd549a3
[Rule Tuning] Misc. DR Rule Tuning ( #3904 )
...
* [Rule Tuning] Misc. DR Rule Tuning
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
* I love KQL validation
2024-07-19 15:13:42 +02:00
39350847d6
[New Rules] Git Hook execution/netcon ( #3896 )
...
* [New Rules] Git Hook execution/netcon
* TImestamp formatting change
* Update rules/linux/persistence_git_hook_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-17 15:28:37 +02:00
83d6eeb844
[New Rule] RPM Package Installed by Unusual Parent Process ( #3882 )
...
* [New Rule] RPM Package Installed by Unusual Parent Process
* Update persistence_rpm_package_installation_from_unusual_parent.toml
* Update persistence_rpm_package_installation_from_unusual_parent.toml
2024-07-17 15:12:17 +02:00
Ruben Groenewoud