sigma-rules

Author	SHA1	Message	Date
Ruben Groenewoud	ef49709c7d	[New Rules] Linux Wildcard Injection (#2973 ) * [New Rules] Linux Wildcard Injection * Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-04 16:32:34 +02:00
Ruben Groenewoud	c6eba3e4e6	[New Rule] Suspicious Symbolic Link Created (#2969 ) * [New Rule] Suspicious Symbolic Link Created * Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * fixed unit testing issues after suggestion commit --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 23:23:23 +02:00
Ruben Groenewoud	4bcec3397c	[New Rule] Potential Suspicious DebugFS Root Device Access (#2982 ) * [New Rule] Potential DebugFS Privilege Escalation * Changed rule name * Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 16:13:34 +02:00
Ruben Groenewoud	207d94e51c	[New Rule] Potential Sudo Token Manipulation via Process Injection (#2984 ) * [New Rule] Sudo Token Access via Process Injection * [New Rule] Sudo Token Manipulation via Proc Inject * Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml * Update privilege_escalation_sudo_token_via_process_injection.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 15:58:25 +02:00
Ruben Groenewoud	7cc841cc87	[New Rule] PE via UID INT_MAX Bug (#2971 ) * [New Rule] PE via UID INT_MAX Bug * changed file name * Should be more decisive * fix * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-03 15:51:06 +02:00
Ruben Groenewoud	a7ff449fbc	[Rule Tuning] Some Tunings of several 8.9 rules (#2985 ) * [Rule Tuning] Doing some quick tunings * updated_date bump * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_modprobe_enumeration.toml * Update rules/linux/discovery_linux_sysctl_enumeration.toml * Update rules/linux/persistence_init_d_file_creation.toml * Update rules/linux/persistence_rc_script_creation.toml * Update rules/linux/persistence_shared_object_creation.toml * deprecate rule * deprecate rule * Update execution_abnormal_process_id_file_created.toml * Update discovery_kernel_module_enumeration_via_proc.toml * Update discovery_linux_modprobe_enumeration.toml * Update execution_remote_code_execution_via_postgresql.toml * Update discovery_potential_syn_port_scan_detected.toml * Added 2 tunings, sorry I missed those.. * One more tune * Update discovery_suspicious_proc_enumeration.toml	2023-08-03 15:25:33 +02:00
Ruben Groenewoud	03110fb24c	[New Rule] SUID/SGUID Enumeration Detected (#2956 ) * [New Rule] SUID/SGUID Enumeration Detected * Remove endgame compatibility * readded endgame support after troubleshooting * Update discovery_suid_sguid_enumeration.toml * Update rules/linux/discovery_suid_sguid_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-03 09:57:30 +02:00
Ruben Groenewoud	716b621af2	[New Rule] Potential Sudo Hijacking Detected (#2966 ) * [New Rule] Potential Sudo Hijacking Detected * Update privilege_escalation_sudo_hijacking.toml	2023-08-03 09:49:14 +02:00
Ruben Groenewoud	18c2214956	[New Rule] Sudo Command Enumeration Detected (#2946 ) * [New Rule] Sudo Command Enumeration Detected * Update discovery_sudo_allowed_command_enumeration.toml * revert endgame support due to unit testing fail * Update discovery_sudo_allowed_command_enumeration.toml * Update discovery_sudo_allowed_command_enumeration.toml * Update rules/linux/discovery_sudo_allowed_command_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/discovery_sudo_allowed_command_enumeration.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-03 09:39:16 +02:00
Ruben Groenewoud	b8bb2da932	[New Rule] Potential Privilege Escalation via OverlayFS (#2974 ) * [New Rule] Privilege Escalation via OverlayFS * Layout change * Revert "[New Rule] Privilege Escalation via OverlayFS" This reverts commit f3262d179bc5f54ae5380ffa50d67041fb141c26. * Made rule broader * Update privilege_escalation_overlayfs_local_privesc.toml * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml * Update user.id to strings --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-07-31 19:15:11 +02:00
Ruben Groenewoud	bbb24704b6	[New Rule] PE through Writable Docker Socket (#2958 ) * [New Rule] PE through Writable Docker Socket * simplified query * Update privilege_escalation_writable_docker_socket.toml * Update privilege_escalation_writable_docker_socket.toml * Update rules/linux/privilege_escalation_writable_docker_socket.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-27 10:01:29 +02:00
Ruben Groenewoud	0666b594c6	[New Rule] Linux Local Account Brute Force (#2965 )	2023-07-27 09:43:53 +02:00
Ruben Groenewoud	b330cf9438	[New Rule] Pspy Process Monitoring Detected (#2945 ) * [New Rule] Pspy Process Monitoring Detected * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/discovery_pspy_process_monitoring_detected.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 15:58:33 +02:00
shashank-elastic	6527eb0500	Rule Tuning File Permission Modification in Writable Directory (#2961 )	2023-07-26 17:47:00 +05:30
Ruben Groenewoud	056db6003e	[Security Content] Added Compatibility note to all IGs (#2943 ) * added investigation guide note * added ig notes * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * implemented note feedback * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-26 12:54:50 +02:00
Ruben Groenewoud	dbd7ed65a9	[Tuning] Reverse Shell Rules (#2959 ) * [Rule Tuning] Reverse Shell Rule destination.ip tuning * Updated updated_date	2023-07-25 14:55:56 +02:00
Ruben Groenewoud	8de2684498	[Security Content] Add Investigation Guides to Linux DRs 8.9 (#2868 ) * [Investigation Guide] 10 new Linux IG's 8.9 * Added 4 more IG tags * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_account_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_linux_user_added_to_privileged_group.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_execution.toml * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_rc_script_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * implemented feedback --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-19 17:13:24 +02:00
shashank-elastic	3ed8c56942	DR Linux Rule Tuning 8.9 (#2859 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-07-10 20:02:42 +05:30
Ruben Groenewoud	e5d6d6e4a7	[New Rule] sus cmds executed by unknown executable (#2858 ) * [New Rule] sus cmds executed by unknown executable * added an event.action filter * Added endgame support, fixed stack version comment * Update execution_suspicious_executable_running_system_commands.toml * Update rules/linux/execution_suspicious_executable_running_system_commands.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update execution_suspicious_executable_running_system_commands.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-06 17:32:56 +02:00
Ruben Groenewoud	4e0b7427b7	[New Rules] ftp/rdp bruteforce (#2910 ) * [New Rules] ftp/rdp bruteforce * Update credential_access_potential_successful_linux_ftp_bruteforce.toml * Update credential_access_potential_successful_linux_rdp_bruteforce.toml * Update non-ecs-schema.json * Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_ftp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_successful_linux_rdp_bruteforce.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-07-06 17:16:01 +02:00
Ruben Groenewoud	d5dee5a6c8	[New Rules] sysctl and modprobe enumeration (#2844 ) * [New Rules] sysctl and modprobe enumeration * Update discovery_linux_modprobe_enumeration.toml * Update discovery_linux_sysctl_enumeration.toml * reverted manifest/schema update * updated tags * Update discovery_linux_modprobe_enumeration.toml	2023-07-06 16:46:54 +02:00
Ruben Groenewoud	64b3fa8d1d	[New Rule] Kernel Load/Unload via Kexec Detected (#2846 ) * [New Rule] Kernel Load/Unload via Kexec * Added additional references * changed rule name * changed the query to be more precise * Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * changed description based on feedback * Update rules/linux/privilege_escalation_load_and_unload_of_kernel_via_kexec.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * Update privilege_escalation_load_and_unload_of_kernel_via_kexec.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>	2023-07-06 16:03:27 +02:00
Ruben Groenewoud	646c316b66	[New Rules] Linux Reverse Shells (#2905 ) * [New Rules] Linux Reverse Shells * [New Rules] Linux Reverse Shells * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_java_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_suspicious_parent_child_revshell_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Delete UDP rule to add in separate PR * Update rules/linux/execution_shell_via_lolbin_interpreter_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_reverse_tcp_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/execution_shell_via_tcp_cli_utility_linux.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Deleted one rule and tuned the others * Improved the rules' performance * Added the reverse_tcp rule back after tuning * Update execution_shell_via_lolbin_interpreter_linux.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-07-06 15:27:57 +02:00
Ruben Groenewoud	78055bbeee	[New Rule] Suspicious Proc Enumeration (#2845 ) * [New Rule] Suspicious Proc Enumeration * Update rules/linux/discovery_suspicious_proc_enumeration.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/discovery_suspicious_proc_enumeration.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * fix tags --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>	2023-07-04 11:34:56 +02:00
Ruben Groenewoud	7a1f376a34	[New Rules] Conversion of deprecated ERs over to DRs (#2877 ) * [Conversion] Data Encrypted via OpenSSL * [Conversion] sus funzip extraction/decompression * [Conversion] LD_PRELOAD env var process injection * fix unit testing failure * suspecting endgame incompatibility * fixed typo * added LD_LIBRARY_PATH * Update defense_evasion_ld_preload_env_variable_process_injection.toml * Update defense_evasion_ld_preload_env_variable_process_injection.toml * Added exclusions for FPs * Update rules/linux/defense_evasion_ld_preload_env_variable_process_injection.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_data_encrypted_via_openssl.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-07-02 10:39:44 +02:00
Ruben Groenewoud	9794f8f0af	[New Rule] Postgresql Code Execution (#2863 ) * [New Rule] Postgresql Code Execution * Update rules/linux/execution_remote_code_execution_via_postgresql.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update execution_remote_code_execution_via_postgresql.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-06-30 13:17:24 +02:00
eric-forte-elastic	aaa4ce2ea0	[BUG] test_all_rule_queries_optimized does not run on rules (#2823 ) * Fixed kql -> kuery in test_all_rule_queries_opt... * all queries optimized * manually reconciled all rules that failed due to toml escaped chars * merge rules from main * Rules needing optimization * Fix optimized note * fix another note * another note fix * fixing whitespace * Updated for readability --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-23 10:58:31 -04:00
Jonhnathan	b4c84e8a40	[Security Content] Tags Reform (#2725 ) * Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2023-06-22 18:38:56 -03:00
Ruben Groenewoud	7c5f17e30c	[New Rules] User / Group Creation & Privileged Group Addition (#2546 ) * [New Rules] user/group creation * Update rules/linux/persistence_linux_group_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/persistence_linux_user_account_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/persistence_linux_user_added_to_privileged_group.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added backdoor user account * added host.os.type == linux for unit testing fix * unit testing fixes * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Added OSQuery to Investigation Guides * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guides to add in future PR * Fixed some issues with the rules * fixed typo * Update rules/linux/persistence_linux_backdoor_user_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_user_account_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_user_added_to_privileged_group.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_group_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-06-22 15:15:48 +02:00
Ruben Groenewoud	71186c8788	[Rule Tuning] Potential Persistence Through Run Control Detected (#2857 ) * [Rule Tuning] changed rule type to new_terms * Updated min stack comment * Update persistence_rc_script_creation.toml * Changed description, removed file.path from new_terms field because it is not necessary * added host.id to new terms field and bumped up min stack	2023-06-22 13:39:36 +02:00
Ruben Groenewoud	7d64dc2a87	[Rule tunings / New Rule] Kernel Unload and Enumeration (#2838 ) * [Rule Tunings] Kernel Module Enumeration / Removal * [Rule Tunings] Kernel Module Enumeration and Removal * Deleted copy of wrong file * EQL Conversion and made the rule more resilient * Converted rules to EQL and made rules more resilient * Removed unwanted rule from PR * fixed unit tests * fixed unit testing, removed endgame support * Added a rule to detect kernel module enum via proc * Did some additional tuning, 0 hits in RedSector now	2023-06-22 10:11:52 +02:00
Ruben Groenewoud	dc05f1d8f3	[New Rule] Sus Network Activity from Unknown Executable (#2856 ) * [New Rule] Sus Network Activity from Unknown Executable * Update command_and_control_suspicious_network_activity_from_unknown_executable.toml * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added endgame support, changed min stack comment * Update rules/linux/command_and_control_suspicious_network_activity_from_unknown_executable.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-06-14 23:27:29 +02:00
Ruben Groenewoud	b4a218ed1c	[New Rule] Shared Object Created (#2848 ) * [New Rule] Shared Object Created or Changed * Removed sub technique * Update rules/linux/persistence_shared_object_creation.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * changed description slightly * Update rules/linux/persistence_shared_object_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_shared_object_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added T1574.006 --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-06-13 22:51:07 +02:00
Ruben Groenewoud	4f9f28c370	[New Rules] Cron Job / Systemd Service Creation (#2847 ) * [New Rules] Cron Job/Systemd Service Creation * Added execution to tags * Added additional EndGame Support * Update rules/linux/persistence_cron_job_creation.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> * Update rules/linux/persistence_systemd_service_creation.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> --------- Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>	2023-06-13 09:44:44 +02:00
Ruben Groenewoud	644d2f5b26	[New Rule] New Systemd Timer Created (#2601 ) * [New Rule] New Systemd Timer Created * improve query runtime performance * added process.name entries for alert reduction * attempt to fix gh unit testing failure * added host.os.type==linux to fix unit test error * Added OSQuery to investigation guides * added additional process names * removed investigation guides to add in future PR * removed investigation guide tag * Changed rule to new_terms rule to reduce FPs * fixed query * formatting fix * Learnt another thing about KQL.. Formatting fix. * unit test fix * Update rules/linux/persistence_systemd_scheduled_timer_created.toml Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>	2023-06-13 09:15:47 +02:00
Jonhnathan	05aac4f371	[Security Content] Add Investigation Guides to Windows rules (#2678 ) * [Security Content] Add Investigation Guides to Windows rules * Update privilege_escalation_service_control_spawned_script_int.toml * Update execution_reverse_shell_via_named_pipe.toml * Apply suggestions from code review Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update execution_command_prompt_connecting_to_the_internet.toml --------- Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-05-26 10:25:41 -03:00
Jonhnathan	0d5e25e896	[Rule Tuning] Interactive Terminal Spawned via Python (#2781 ) * [Rule Tuning] Interactive Terminal Spawned via Python * Update execution_python_tty_shell.toml * Update execution_python_tty_shell.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-05-26 10:19:35 -03:00
Ruben Groenewoud	54c5c17aa3	[Rule Tuning & Addition] Potential Linux SSH Brute Force (#2583 ) * [Rule tuning & Addition] SSH Bruteforce * Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_linux_ssh_bruteforce_internal.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed rule_id change, added additional cidr match * added host.os.type==linux * Update credential_access_potential_linux_ssh_bruteforce_internal.toml * Formatting style change * Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/credential_access_potential_linux_ssh_bruteforce_external.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Added related rules suggestion * Added related rule suggestion * added additional internal ip ranges * added additional internal ip ranges --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-05-25 12:00:44 +02:00
Ruben Groenewoud	9ebffb44ff	[New Rules] Ransomware Encryption & Note Creation (#2652 ) * [New Rules] Ransomware Encryption & Note Creation * changed description * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/impact_potential_linux_ransomware_note_detected.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-16 11:30:00 +02:00
shashank-elastic	1293365a7f	Rule to detect Potential Linux Credential Dumping via Proc Filesystem (#2751 )	2023-05-05 22:23:15 +05:30
Ruben Groenewoud	26258f806a	[New Rules] Persistence through MOTD (#2608 ) * [New Rules] Persistence through MOTD * fixed unit error test by adding timestamp_override * Update rules/linux/persistence_message_of_the_day_execution.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * added host.os.type == "linux" * removed ability to bypass chmod by using e.g. 700 * Added endgame support, changed query * Changed query * updated risk_score * added OSQuery to investigation guides * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guides to add in future PR * removed investigation guide tag * Changed rule to new terms rule for FP reduction * Update rules/linux/persistence_message_of_the_day_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-05 10:29:15 +02:00
Ruben Groenewoud	1aea1ee9bb	[New rule] Sus File Creation in init.d for Persistence Detected (#2653 ) * [New Rule] Init.d File and Service Creation * Changed rule name * [New Rule] Sus File Creation init.d Persistence * Added Endgame compatibility * added touch * Added OSQuery to investigation guide * added additional processes * removed investigation guide to add in sep PR * changed rule name * removed investigation guide tag * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/linux/persistence_init_d_file_creation.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update persistence_init_d_file_creation.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-05-05 09:54:42 +02:00
Ruben Groenewoud	09719dd0c5	[Rule Tuning] Potential Shell via Web Server (#2585 ) * tuned web shell logic, and converted to EQL * Removed old, created new rule to bypass "type" bug * Revert "Removed old, created new rule to bypass "type" bug" This reverts commit e994b62ecb838f73fa56d145e529169ebd2f5133. * Revert "tuned web shell logic, and converted to EQL" This reverts commit 28bda94b846cbb4ae1a084e707db2b6df458a7ca. * Deprecated old rule, added new * formatting fix * removed endgame index * Fixed changes captured as edited, not created * Update rules/linux/persistence_shell_activity_through_web_server.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * fix conflict * added host.os.type==linux for unit testing * removed wildcards in process.args * Update rules/linux/persistence_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * fixed conflict by changing file name and changes * Trying to resolve the GH conflict * attempt to fix GH conflict #2 * Update persistence_shell_activity_by_web_server.toml * Added endgame support * Added OSQuery to investigation guide * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/linux/persistence_linux_shell_activity_via_web_server.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * removed investigation guide to add in future PR --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-05-05 09:47:49 +02:00
shashank-elastic	855ba16299	Linux Rule Tuning (#2753 )	2023-05-02 19:12:13 +05:30
shashank-elastic	cd5bc2c44b	Update file path regex for /run (#2749 )	2023-04-26 14:02:16 +05:30
shashank-elastic	0107e0fcaa	Detect Threat indicators for VMware ESXi servers (#2708 )	2023-04-25 20:17:16 +05:30
shashank-elastic	2996c79ff4	Detect Mount Execution With Hidepid Parameter (#2706 )	2023-04-22 08:00:30 +05:30
shashank-elastic	2705df81e2	Tune Shell evasion Rule to incorporate GTFOArgs shell evasion (#2687 )	2023-04-20 18:35:18 +05:30
shashank-elastic	f7aa477536	Correct Event Action to include endgame event schema (#2610 )	2023-04-20 17:28:01 +05:30
shashank-elastic	94baa89ea8	New Rule to identify defense evasion via PRoot (#2625 )	2023-04-20 17:14:01 +05:30

1 2 3 4

190 Commits