f02ccfef64
[New Rule] Adding Coverage for AWS IAM or STS API Calls via Temporary Session Tokens ( #4628 )
...
* adding new rule 'AWS IAM or STS API Calls via Temporary Session Tokens'
* updated name and query logic
* updated query logic
* changed rule to new terms
* fixed logic
* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml
* Update rules/integrations/aws/persistence_iam_sts_api_calls_via_user_session_token.toml
* updated investigation guide; scoped to IAM only; updated naming
* updating file name
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2025-04-24 15:39:51 -04:00
b429be2bda
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #4648 )
2025-04-24 10:19:06 +05:30
34231160ee
Fix versions for changes in required_fileds ( #4640 )
2025-04-24 06:28:18 +05:30
b9ed05562d
[Rule Tuning] User Added to Privileged Group in Active Directory ( #4646 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-04-24 06:12:33 +05:30
e8e76972f5
[Rule Tuning] Replace legacy winlog.api usage ( #4647 )
...
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-04-24 05:52:38 +05:30
ea31143b83
[New] Suspicious Azure Sign-in via Visual Studio Code ( #4639 )
...
* Create initial_access_entra_login_visual_code_phish.toml
* Update non-ecs-schema.json
* Update initial_access_entra_susp_visual_code_signin.toml
* Update pyproject.toml
* Update initial_access_entra_susp_visual_code_signin.toml
* Update non-ecs-schema.json
2025-04-23 14:06:05 +01:00
f8e91be329
[New] RemoteMonologue Attack rules ( #4604 )
...
* [New] RemoteMonologue Attack rules
https://www.ibm.com/think/x-force/remotemonologue-weaponizing-dcom-ntlm-authentication-coercions#1
https://github.com/xforcered/RemoteMonologue
* Update rules/windows/defense_evasion_ntlm_downgrade.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update defense_evasion_ntlm_downgrade.toml
* Update rules/windows/defense_evasion_ntlm_downgrade.toml
* Update rules/windows/defense_evasion_ntlm_downgrade.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-04-22 15:26:57 -03:00
1bab74179e
[New Rule] Potential Malicious PowerShell Based on Alert Correlation ( #4635 )
...
* [New Rule] Potential Malicious PowerShell Based on Alert Correlation
* Update execution_posh_malicious_script_agg.toml
2025-04-22 13:36:04 -03:00
c80319d462
[Deprecate] LaunchDaemon Creation or Modification and Immediate Loading ( #4547 )
2025-04-22 21:23:01 +05:30
8361cfd205
[New Rule] Potential PowerShell Obfuscation via String Reordering ( #4595 )
...
* [New Rule] Potential PowerShell Obfuscation via String Reordering
* Update defense_evasion_posh_obfuscation_string_format.toml
* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
* Update defense_evasion_posh_obfuscation_string_format.toml
* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
* Update rules/windows/defense_evasion_posh_obfuscation_string_format.toml
2025-04-22 12:26:55 -03:00
364d9dd3bc
[New Rule] Threat Intel Email Indicator Match ( #4598 )
...
* [New Rule] Threat Intel Email Indicator Match
* Update threat_intel_indicator_match_email.toml
* Update pyproject.toml
* Adds IG
* Update rules/threat_intel/threat_intel_indicator_match_email.toml
* Update rules/threat_intel/threat_intel_indicator_match_email.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/threat_intel/threat_intel_indicator_match_email.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2025-04-22 12:15:36 -03:00
a495b4b9b2
[Rule Tuning] Potential DLL Side-Loading via Trusted Microsoft Programs ( #4627 )
2025-04-22 11:59:06 -03:00
a9f99137f3
[New Rule] Dynamic IEX Reconstruction via Method String Access ( #4634 )
2025-04-22 11:47:03 -03:00
4ef72457d3
[Tuning] MacOS DR Tuning PR ( #4546 )
...
* [Tuning] MacOS DR Tuning PR
* tunings
* tuning
* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
* Update rules/macos/execution_installer_package_spawned_network_event.toml
* Update rules/macos/execution_script_via_automator_workflows.toml
* Update rules/macos/credential_access_systemkey_dumping.toml
* Update rules/macos/credential_access_mitm_localhost_webproxy.toml
* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml
* Update rules/macos/defense_evasion_apple_softupdates_modification.toml
* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml
* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml
* fix
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2025-04-21 17:32:05 -05:00
c58d59eeb7
[New Rule] Adding Coverage for AWS CLI with Kali Linux Fingerprint Identified ( #4625 )
...
* adding new rule 'AWS CLI with Kali Linux Fingerprint Identified'
* updating rule logic
* updating mitre mapping
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-04-21 12:06:57 -04:00
94237798a5
[New Rule] Adding Coverage for AWS IAM Virtual MFA Device Registration ( #4626 )
...
* adding new rule 'AWS IAM Virtual MFA Device Registration Attempt with Session Token'
* updating rule
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-04-21 11:02:14 -04:00
96c2d0ca85
[New Rule] Adding Coverage for AWS Temporary User Session Token Used from Multiple Addresses ( #4624 )
...
* adding new rule 'AWS STS Temporary IAM Session Token Used from Multiple Addresses'
* updating rule assets
* updating mitre mapping
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-04-17 16:06:40 -04:00
ba16e27edb
[Rule Tuning] Tuning Azure Service Principal Credentials Added ( #4570 )
...
* tuning 'Azure Service Principal Credentials Added'
* updated patch version
* added investigation guide
* updating patch version
* updating patch version
2025-04-16 13:58:17 -04:00
1a6669e5a6
[Rule Tuning] Adjusting Microsoft Entra ID Rare Authentication Requirement for Principal User ( #4562 )
...
* tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User'
* updated MITRE ATT&CK mappings
* updated index target
* updated patch version
* updating patch version
* bumping patch version
* updating patch version
2025-04-16 12:21:41 -04:00
e11fe78846
[Rule Tuning] Suspicious WMI Event Subscription Created ( #4618 )
...
* [Rule Tuning] Suspicious Execution via Scheduled Task
* [Rule Tuning] Suspicious WMI Event Subscription Created
2025-04-16 10:05:20 -03:00
3eed0f5b6a
[Rule Tuning] SSH Authorized Keys File Deletion ( #4591 )
...
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-04-15 12:16:03 -03:00
3b1f780435
[D4C Conversion] Converting Compatible D4C Rules to DR ( #4532 )
...
* [D4C Conversion] Converting Compatible D4C Rules to DR
* added host.os.type
* Rename
* Update rules/linux/execution_container_management_binary_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/privilege_escalation_debugfs_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/privilege_escalation_mount_launched_inside_container.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-04-10 14:26:40 +02:00
05c9f6bbdb
[FN Tuning] Shared Object Created or Changed by Previously Unknown Pr… ( #4529 )
...
* [FN Tuning] Shared Object Created or Changed by Previously Unknown Process
* Update process exclusions in TOML file
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2025-04-08 18:19:18 +02:00
a5d9d6400a
[Rule Tuning] Suspicious Execution via Scheduled Task ( #4599 )
2025-04-07 22:59:08 +05:30
3966981dae
Add investigation guides ( #4600 )
2025-04-07 20:55:39 +05:30
9577d53284
[Rule Tuning] Add Host Metadata to ES|QL Aggregation Rules ( #4592 )
...
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-04-07 12:00:14 -03:00
753e8d8200
[New] Unusual Network Connection to Suspicious Top Level Domain ( #4563 )
2025-04-03 14:22:41 -05:00
d4b2a35237
[New] Unusual Network Connection to Suspicious Web Service ( #4569 )
...
* [New] Unusual Network Connection to Suspicious Web Service
* Update rule threat order
---------
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com >
2025-04-03 14:02:03 -05:00
e7806fc74f
[Rule Tuning] O365 Exchange Suspicious Mailbox Right Delegation ( #4589 )
2025-04-02 09:52:34 -03:00
6d8cfda10f
Update defense_evasion_microsoft_defender_tampering.toml ( #4573 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-04-01 18:04:29 +01:00
c6e37d6910
[Rule Tuning] Tuning Illicit Grant Consent Detections in Azure and M365 ( #4557 )
...
* tuning Azure rule for illicit grant activity; creating new rule for M365
* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
* adjusted tags
* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml
2025-03-27 15:55:04 -04:00
280140650a
tuning 'Azure Conditional Access Policy Modified' ( #4558 )
2025-03-27 15:43:46 -04:00
2f3f4fbdef
deprecating 'Azure Virtual Network Device Modified or Deleted' ( #4559 )
2025-03-27 10:09:34 -04:00
2b3095a13c
Update Max signals value to supported limits ( #4556 )
2025-03-27 09:02:25 +05:30
63c1f47689
[Rule Tuning] Added OWA (outlook for web) new AppID ( #4568 )
...
* Added OWA (outlook for web) new AppID
**Title:** Add new Outlook for Web AppID to abnormal Microsoft 365 ClientAppID rule
**Description:**
This pull request updates the `initial_access_microsoft_365_abnormal_clientappid` rule to include the newly introduced Outlook for Web AppID:
- **New AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
### Context
Outlook for Web (OWA) is migrating to a new authentication platform using MSAL and a Single Page Application (SPA) auth model. As part of this backend change, Microsoft is replacing the existing OWA AppID with a new one. This change is being rolled out during the first half of calendar year 2024, with full deployment expected by Q4 2024.
- **Old OWA AppID**: `00000002-0000-0ff1-ce00-000000000000`
- **New OWA AppID**: `9199bf20-a13f-4107-85dc-02114787ef48`
Although no action is required for tenant administrators, this new AppID may show up in logs and should be accounted for in detections relying on known legitimate ClientAppIDs.
### Why this change?
The rule `initial_access_microsoft_365_abnormal_clientappid` flags potentially suspicious or unauthorized client applications accessing Microsoft 365 services. To prevent false positives caused by this official change from Microsoft, this PR adds the new OWA AppID to the allowlist.
### References
- Microsoft 365 Message Center notice (ref: MC715025)
- [MSAL documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-overview )
* Update initial_access_microsoft_365_abnormal_clientappid.toml
Updated updated_date
2025-03-26 15:15:28 -03:00
e8c54169a4
Prep main for 9.1 ( #4555 )
...
* Prep for Release 9.1
* Update Patch Version
* Update Patch version
* Update Patch version
2025-03-26 11:04:14 -04:00
5e12f05a36
fixing double header in investigation notes ( #4490 )
2025-03-25 09:08:13 -04:00
db78756062
[New Rule] Adding Coverage for DynamoDB Exfiltration Behaviors ( #4535 )
...
* new rules for AWS DynamoDB data exfiltration
* bumping patch version
* adjusting investigation guide
* updating patch version
* updating patch version
* updating patch version
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2025-03-21 10:05:24 -04:00
059d7efa25
Prep for Release 9.0 ( #4550 )
2025-03-20 20:32:07 +05:30
955e973c00
Change description and name of problemchild ML detection-rules ( #4545 )
...
Changed description and name of problemchild ML detection-rules
2025-03-20 08:58:10 -04:00
28a06fd25f
Update defense_evasion_posh_assembly_load.toml ( #4543 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2025-03-20 05:13:28 -03:00
5ccb7ed4af
Min stack rules from 4516 ( #4549 )
2025-03-19 20:27:30 -04:00
5b3dc4a4a7
Revert "Add new ML detection rules for Privileged Access Detection ( #4516 )" ( #4548 )
...
This reverts commit 2ff8d1bb56
2025-03-19 20:08:08 -04:00
2ff8d1bb56
Add new ML detection rules for Privileged Access Detection ( #4516 )
...
Add detection-rules for privileged access detection integration
2025-03-19 11:02:28 -04:00
0993ced309
Deprecate Cloud Defend Rules ( #4537 )
2025-03-14 21:27:37 +05:30
290f0be959
Update defense_evasion_execution_suspicious_explorer_winword.toml ( #4533 )
2025-03-14 10:46:56 -03:00
d7d8c414ec
[New Rule] File Creation in /var/log via Suspicious Process ( #4528 )
...
* [New Rule] File Creation in /var/log via Suspicious Process
* ++
* ++
2025-03-12 12:50:48 +01:00
3ed820afa8
[New Rule] Adding Coverage for Azure Entra Password Spraying (Non-Interactive SFA) ( #4523 )
...
* adding new rule 'Azure Entra Repeated Failed Sign-Ins via Non-Interactive Single-Factor Authentication'
* updating name
* added investigation guide
* updated investigation guide
* updated investigation guide
* removed unnecessary comment
* adjusted logic to count distinct on principal id; principal name will be in aggregations now
* updated Entra ID name
2025-03-11 11:25:10 -04:00
aacb376acf
[New Rule] Adding Coverage for Azure Entra Rare App ID for Principal Authentication ( #4524 )
...
* adding new rule 'Azure Entra Rare App ID for Principal Authentication'
* updating tactic tag
* adjusted query logic for user type
* updated Entra ID name
2025-03-11 11:05:56 -04:00
fd1369a164
[New Rule] Adding Coverage for Azure Entra Rare Instance of Single-Factor Authentication for User ( #4525 )
...
* adding new rule 'Azure Entra Rare Instance of Single-Factor Authentication for User'
* linted; updated UUID
* adjusted rule name and logic to focus on any rare authentication requirements
* adjusted file name
2025-03-11 10:51:01 -04:00
Terrance DeJesus