d41855a2ac
[New Rules] DDExec Analysis ( #3408 )
...
* [New Rules] DDExec Analysis
* Increased rule scope
* [New Rule] Dynamic Linker Discovery via od
* Revert "[New Rule] Dynamic Linker Discovery via od"
This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.
* [New Rule] Dynamic Linker Discovery via od
* [New Rule] Potential Memory Seeking Activity
* [New BBR] Suspicious Memory grep Activity
* Added endgame + auditd_manager support
* Removed auditd_manager support for now
* Removed auditd_manager support for now
* Update discovery_suspicious_memory_grep_activity.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2024-02-06 14:47:37 +01:00
90d64f0714
[New Rule] Executable Masquerading as Kernel Process ( #3421 )
...
* [New Rule] Executable Masquerading as Kernel Proc
* Bumped dates
* Added endgame support
* Added auditd_manager support
* Removed auditd_manager support for now
2024-02-06 10:49:36 +01:00
208b2e999c
[New Rules] APT Package Manager Persistence ( #3418 )
...
* [New Rule] apt Package Manager Persistence
* [New Rules] APT Package Manager Persistence
* [New Rules] APT Package Manager Persistence
2024-02-06 10:29:27 +01:00
4f303ab77e
[New Rule] Suspicious Network Connection via systemd ( #3420 )
...
* [New Rule] Network Connection via systemd
* Removed space from description
* Added updated query
2024-02-06 10:19:42 +01:00
381ccf43ed
[New Rule] Suspicious Passwd File Event Action ( #3396 )
...
* [New Rule] Suspicious Passwd File Event Action
* Description fix
* Pot. UT fix
* Pot. UT fix.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2024-01-26 09:36:56 +01:00
48d8b650e5
[New Rule] Potential Buffer Overflow Attack Detected ( #3312 )
...
* [New Rule] Potential Buffer Overflow Attack
* Added timestamp_override
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-01-22 16:28:22 +01:00
ec5f4d596c
[New Rule] Chroot Container Escape via Mount ( #3387 )
...
* [New Rule] Chroot Container Escape via Mount
* description fix
2024-01-22 09:17:53 +01:00
26747aa8a4
[Security Content] Add Investigation Guides to Linux Persistence Rules - 2 ( #3350 )
...
* [Security Content] Add IGs to Persistence - 2
* [Security Content] Add IGs to Persistence - 2
* fixes
* fix
* added ig note
2024-01-20 19:36:32 +01:00
1a2ef4b867
Linux Process Capabilities Enrichment Detection Rules ( #3366 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com
2024-01-18 22:49:43 +05:30
1c10c37468
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field ( #3368 )
...
* updated timestamp override unit test; fixed rules missing this field
* fixed flake error
* simplified and consolidated logic
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added comments
* updated logic; added comments; removed unused variables
* removed custom python script
* updated dates
* removed deprecated rule change
* updated dates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-01-17 14:14:38 -05:00
4301dacfb8
[New Rule] Network Connection via Sudo Binary ( #3389 )
...
* [New Rule] Network Connection via Sudo Binary
* description grammar fix
2024-01-17 09:47:58 +01:00
a9285445cf
[New Rule] Kernel Driver Load by non-root User ( #3378 )
...
* [New Rule] Kernel Driver Load by non-root User
* setup note change
* removed unnecessary index
2024-01-17 09:34:25 +01:00
24d5528ab0
Linux Rule Tuning ( #3379 )
2024-01-11 18:07:03 +05:30
df86882036
[Rule Tuning] Dynamic Linker Copy ( #3349 )
2024-01-08 10:56:31 +01:00
6c91c1597d
[Rule Tuning] Linux DR Tuning - Part 3 ( #3322 )
...
* [Rule Tuning] Linux DR Tuning - Part 3
* small fix
* typo
* coffee
* Update persistence_cron_job_creation.toml
* Update persistence_shared_object_creation.toml
2024-01-08 10:16:44 +01:00
36226e5428
[Rule Tuning] Linux DR Tuning - Part 2 ( #3321 )
...
* [Rule Tuning] Linux DR Tuning - Part 2
* [Rule Tuning] Linux DR Tuning - Part 2
* fix
* Update execution_shell_suspicious_parent_child_revshell_linux.toml
2024-01-08 10:07:38 +01:00
b533642272
[Rule Tuning] Linux DR Tuning - Part 1 ( #3316 )
...
* [Rule Tuning] Linux DR Tuning - Part 1
* fix
* Update command_and_control_linux_kworker_netcon.toml
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_file_mod_writable_dir.toml
2024-01-08 09:50:15 +01:00
91a757a018
[Security Content] Add Investigation Guides to Linux C2 Rules ( #3247 )
...
* [Security Content] Add Investigation Guides to Linux C2 Rules
* Applied feedback
2023-12-18 17:02:40 +01:00
84824c67fd
[Tuning & New Rule] Linux Reverse Shell & DR Tuning ( #3254 )
...
* [Rule Tuning & New Rule] Linux Reverse Shell
* [Tuning & New Rule] Linux Reverse Shells
* Name change
* Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update execution_shell_via_child_tcp_utility_linux.toml
* Update execution_shell_via_background_process.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2023-12-18 09:36:21 +01:00
6c614eb102
[Security Content] Add Investigation Guides to Linux Persistence Rules - 1 ( #3288 )
...
* [Security Content] Add IGs to Persistence Rules
* Cleaned query
* IG description fix
* Added related rules
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-12-11 13:53:06 +01:00
840958d117
[New Rule] Suspicious File Creation via Kworker ( #3237 )
...
* [New Rule] Suspicious File Creation via Kworker
* Update rules/linux/persistence_kworker_file_creation.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 23:02:00 +01:00
9c61231dc6
[New Rule] UID Elevation from Unknown Executable ( #3239 )
...
* [New Rule] UID Elevation from Unknown Executable
* type change
* bump min stack
* Added additional exclusions
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/privilege_escalation_uid_elevation_from_unknown_executable.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-12-07 22:25:01 +01:00
1071b12f00
[New Rule] Suspicious Kworker UID Elevation ( #3238 )
...
* [New Rule] Suspicious Kworker UID Elevation
* Update privilege_escalation_kworker_uid_elevation.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-12-07 20:59:07 +01:00
38862b89e9
[Tuning] Small Linux DR Tuning ( #3287 )
2023-12-07 12:45:24 +01:00
d52546eee5
Enhance Setup Guide information ( #3256 )
2023-11-03 19:05:29 +05:30
5c5d1b214b
Setup information for Linux Rules - Set8 ( #3200 )
2023-10-30 20:58:40 +05:30
618a1dbe06
[New Rule] Attempt to Clear Kernel Ring Buffer ( #3217 )
...
* [New Rule] Attempt to Clear Kernel Ring Buffer
* Update defense_evasion_clear_kernel_ring_buffer.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-10-30 09:37:11 +01:00
1ac3775743
[New Rule] Network Activity Detected via kworker ( #3202 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* [New Rule] Network Activity Detected via kworker
* White space
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
* Update command_and_control_linux_kworker_netcon.toml
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/command_and_control_linux_kworker_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update command_and_control_linux_kworker_netcon.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-25 15:24:55 +02:00
3855dd06d8
[New Rule] Potential Linux Hack Tool Launched ( #3125 )
...
* [New Rule] Potential Linux Hack Tool Launched
* changed description slightly
* Updated description
* Update rules/linux/execution_potential_hack_tool_executed.toml
* Update rules/linux/execution_potential_hack_tool_executed.toml
2023-10-23 21:35:43 +02:00
ff268cc6a0
[New Rule] Netcat Listener Established via rlwrap ( #3124 )
...
* [New Rule] Netcat Listener Established via rlwrap
* Update rules/linux/execution_nc_listener_via_rlwrap.toml
2023-10-23 17:31:26 +02:00
020fff3aea
[Rule Tuning] Linux Rules ( #3092 )
...
* [Rule Tuning] [WIP] Linux DR
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Fixed tag
* Added additional tuning
* unit test fix
* Additional tuning
* tuning
* added max signals
* Added max_signals=1 to brute force rules
* Cross-Platform Tuning
* Small fix
* new_terms conversion
* typo
* new_terms conversion
* Ransomware rule tuning
* performance tuning
* new_terms conversion for auditd_manager
* tune
* Need coffee
* kql/eql stuff
* formatting improvement
* new_terms sudo hijacking conversion
* exclusion
* Deprecations that were added last tuning
* Deprecations that were added last tuning
* Increased max timespan for brute force rules
* version bump
* added domain tag
* Two tunings
* More tuning
* Additional tuning
* updated_date bump
* query optimization
* Tuning
* Readded the exclusions for this one
* Changed int comparison
* Some tunings
* Update persistence_systemd_scheduled_timer_created.toml
* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation"
This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0.
* Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml
* Update rules/linux/command_and_control_cat_network_activity.toml
* Update persistence_message_of_the_day_execution.toml
* Changed max_signals
* Revert "Merge branch 'main' into rule-tuning-ongoing-dr"
This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing
changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8.
* Revertable merge
* Update defense_evasion_ld_preload_env_variable_process_injection.toml
* File name change
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-23 16:28:58 +02:00
7254c582c5
Move Setup information into setup filed ( #3206 )
2023-10-23 19:28:18 +05:30
9f41c9f35c
[New Rule] Upgrade of Non-interactive Shell ( #3113 )
...
* [New Rule] Upgrade of Non-interactive Shell
* Changed numbers to int
* Changed severity
* [New Rule] Pot. Rev Shell via Background Process
* Revert "[New Rule] Pot. Rev Shell via Background Process"
This reverts commit bbb36eae26561dbef4bf57f6c1388cebe7a8b88d.
* Update rules/linux/execution_interpreter_tty_upgrade.toml
2023-10-18 16:47:07 +02:00
6ea11cd9ad
[New Rules] cap_setuid/cap_setgid privesc ( #3075 )
...
* [New Rules] cap_setuid/cap_setgid privesc
* Update persistence_setuid_setgid_capability_set.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update rules/linux/privilege_escalation_suspicious_cap_setuid_python_execution.toml
* Update privilege_escalation_suspicious_cap_setuid_python_execution.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-10-18 16:24:01 +02:00
4190c3a6a7
[New Rule] Potential SSH-IT SSH Worm Downloaded ( #3121 )
...
* [New Rule]
* Fixed grammar mistake
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
* Update rules/linux/lateral_movement_ssh_it_worm_download.toml
2023-10-18 16:08:25 +02:00
7d674db11e
[New Rule] Pot. Network Scan Executed from Host ( #3070 )
2023-10-18 15:46:31 +02:00
276c0f9cd3
Setup information for Linux Rules - Set7 ( #3190 )
2023-10-17 19:45:01 +05:30
5a98208b53
Setup information for Linux Rules - Set6 ( #3189 )
2023-10-17 19:33:07 +05:30
2a48db0598
Setup information for Linux Rules - Set5 ( #3188 )
2023-10-17 19:11:20 +05:30
25b527c149
Setup information for Linux Rules - Set4 ( #3179 )
2023-10-17 18:59:31 +05:30
d2c2987d72
Setup information for Linux Rules - Set3 ( #3178 )
2023-10-17 18:37:20 +05:30
1801a4ee7e
Setup information for Linux Rules - Set2 ( #3177 )
2023-10-17 18:25:55 +05:30
15718ea09e
Improve exsisting setup configurations for Linux ( #3141 )
2023-10-13 13:39:03 +05:30
89cfdcd440
[New Rule] Potential curl CVE-2023-38545 Exploitation ( #3168 )
...
* [New Rule] Potential curl CVE-2023-38545 Exploitation
* Added setup guide
* Update execution_curl_CVE_2023_38545.toml
* File name change
* File name change
* Update dates
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update rules/linux/execution_curl_cve_2023_38545_heap_overflow.toml
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-10-11 11:42:25 -03:00
a46797b987
[New Rule] Pot. Rev. Shell via Background Process ( #3114 )
2023-10-06 23:14:39 +02:00
c3cc01333a
[Tuning] CVE-2023-4911 ( #3160 )
2023-10-06 13:13:17 +02:00
f4ad1f28e3
[New Rule] PE via CVE-2023-4911 (Looney Tunables) ( #3158 )
...
* [New Rule] PE via CVE-2023-4911 (Looney Tunables)
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
* Update rules/linux/privilege_escalation_looney_tunables_cve_2023_4911.toml
2023-10-05 16:41:11 +02:00
b291317ea6
[New Rule] Network Activity Detected via cat ( #3069 )
...
* [New Rule] Network Activity via cat
* Update command_and_control_cat_network_activity.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-09-18 09:51:20 +02:00
f8f3576971
[New Rule] Potential UDP Reverse Shell ( #2906 )
...
* [New Rule] Potential UDP Reverse Shell Detected
* Title change
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* updated non-ecs-schema to update unmapped fields
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Removed netcat, added destination ip list
* Update execution_shell_via_udp_cli_utility_linux.toml
* Added precautionary exclusions
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
* replaced schema files
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-09-07 17:13:22 +02:00
15e71ec2e8
[New Rule] Potential Meterpreter Reverse Shell ( #3007 )
...
* [New Rule] Potential Meterpreter Reverse Shell
* Update execution_shell_via_meterpreter_linux.toml
* Update execution_shell_via_meterpreter_linux.toml
* Update rules/linux/execution_shell_via_meterpreter_linux.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-09-07 17:04:06 +02:00
Ruben Groenewoud