b291317ea6
[New Rule] Network Activity Detected via cat ( #3069 )
...
* [New Rule] Network Activity via cat
* Update command_and_control_cat_network_activity.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-09-18 09:51:20 +02:00
9146e0965d
[New Rule] Github Repository Deleted ( #3056 )
...
* new rule
* Update rules/integrations/github/impact_github_repository_deleted.toml
* Update rules/integrations/github/impact_github_repository_deleted.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-09-14 18:00:25 -04:00
904e37b732
[New Rule] GitHub Protected Branch Settings Changed ( #3054 )
...
* new rule file
* testing query change
* query changed back
* Update rules/integrations/github/defense_evasion_github_protected_branch_settings_changed.toml
updates based on review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* updated integration manifests with github schema
* Update defense_evasion_github_protected_branch_settings_changed.toml
added event.dataset to query
* added timestamp_override
* changed timestamp_override to @timestamp
* changed timestamp_override
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-14 17:16:51 -04:00
ccfc931fbd
Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity ( #3091 )
...
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity
When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server" as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html
Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.
* simplified detection logic by utilising process.parent.args
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-13 13:51:07 -03:00
4034436f06
[Security Content] Add missing osquery transforms ( #3088 )
...
* [Security Content] Add missing osquery transforms
* Revertable unit test
* .
* Revert "Revertable unit test"
This reverts commit 8c909fc2712b16e062890a63f31a6c080b81244a.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-09-13 08:07:01 -03:00
ddb1f75352
[New Rule] New BBR Rules - Part 2 ( #3029 )
...
* [New Rule] New BBR Rules - Part 2
* Update discovery_generic_account_groups.toml
* Update discovery_generic_account_groups.toml
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/execution_downloaded_shortcut_files.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules_building_block/defense_evasion_unusual_process_extension.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update defense_evasion_unusual_process_extension.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-09-12 21:49:22 -03:00
af99186992
[New Rule] New BBR Rules - Part 3 ( #3034 )
...
* [New Rule] New BBR Rules - Part 3
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-09-12 21:28:01 -03:00
f8f3576971
[New Rule] Potential UDP Reverse Shell ( #2906 )
...
* [New Rule] Potential UDP Reverse Shell Detected
* Title change
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* updated non-ecs-schema to update unmapped fields
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Removed netcat, added destination ip list
* Update execution_shell_via_udp_cli_utility_linux.toml
* Added precautionary exclusions
* Update rules/linux/execution_shell_via_udp_cli_utility_linux.toml
* replaced schema files
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
* Update execution_shell_via_udp_cli_utility_linux.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-09-07 17:13:22 +02:00
15e71ec2e8
[New Rule] Potential Meterpreter Reverse Shell ( #3007 )
...
* [New Rule] Potential Meterpreter Reverse Shell
* Update execution_shell_via_meterpreter_linux.toml
* Update execution_shell_via_meterpreter_linux.toml
* Update rules/linux/execution_shell_via_meterpreter_linux.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-09-07 17:04:06 +02:00
3614f42b00
[New Rule] New BBR Rules - Part 5 ( #3052 )
...
* [New Rule] New BBR Rules - Part 5
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Tag work
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-09-05 18:36:34 -03:00
4233fef238
[Security Content] Include "Data Source: Elastic Defend" tag ( #3002 )
...
* win folder
* Other folders
* Update test_all_rules.py
* .
* updated missing elastic defend tags
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
2023-09-05 14:22:01 -04:00
6115a68aba
[Rule Tuning] Small Linux DR Tuning ( #3074 )
...
* [Rule tuning] Adressing community issue
* Changed title
* Changed IG title
2023-09-05 14:20:57 +02:00
3c64b454fb
[New Rule] Sus User Privilege Enumeration via id ( #3049 )
2023-08-31 18:13:42 +02:00
fdd45148b8
[New Rule][BBR] WRITEDAC Access on Active Directory Object ( #3015 )
...
* [New Rule] WRITEDAC Access on Active Directory Object
* Update defense_evasion_write_dac_access.toml
* Fix Setup Instructions
* Update defense_evasion_write_dac_access.toml
* Update rules_building_block/defense_evasion_write_dac_access.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-31 12:59:02 -03:00
f7d8d4752a
[New Rules] GDB Secret Dumping ( #3060 )
...
* [New Rules] GDB Secret Dumping
* Added references to BBR
* Update rules/linux/credential_access_gdb_init_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
* Update rules_building_block/credential_access_gdb_memory_dump.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 17:41:22 +02:00
b6ed215958
[New Rule] File Creation, Exec and Self-Deletion ( #3045 )
...
* [New Rule] File Creation, Exec and Self-Deletion
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
* Update execution_file_execution_followed_by_deletion.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-31 17:32:17 +02:00
3588600d57
[Rule Tuning] 3 tunings to reduce FPs ( #3058 )
...
* [Rule Tuning] 2 tunings to reduce FPs back to 0
* Added one more tune for community issue #3041
* Update rules/linux/execution_abnormal_process_id_file_created.toml
* Update rules/linux/execution_abnormal_process_id_file_created.toml
2023-08-31 17:16:57 +02:00
2eaaf27f1e
[New Rule] Potential Disabling of AppArmor ( #3046 )
...
* [New Rule] Potential Disabling of AppArmor
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
* Update rules/linux/defense_evasion_disable_apparmor_attempt.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 17:06:15 +02:00
d838a3352f
[New Rule] Binary Copied and/or Moved to Suspicious Directory ( #3048 )
...
* [New Rule] Binary Copied and/or Moved to sus dir
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/defense_evasion_binary_copied_to_suspicious_directory.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 13:46:41 +02:00
a5b5d513af
[New Rule] Potential Sudo Privilege Escalation via CVE-2019-14287 ( #3057 )
...
* [New Rule] Sudo PE via CVE-2019-14287
* Added Elastic Defend Data Source tag
* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
* Update rules/linux/privilege_escalation_sudo_cve_2019_14287.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-31 13:11:34 +02:00
a395f54054
[New Rules] sus program compilation activity ( #3043 )
2023-08-31 09:30:56 +02:00
32abdb95f7
[New Rules] Linux Tunneling and Port Forwarding ( #3028 )
...
* Removed iodine rule due to new tunneling rule
* [New Rules] Linux Tunneling and Port Forwarding
* added ash
* Fixed description styling
* Changed rule name
* Update command_and_control_linux_suspicious_proxychains_activity.toml
* Added deprecation note & name change
* Changed deprecation status
* Removed deprecation date
* Fixed unit testing
* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-30 22:12:19 +02:00
41a7a36817
Tune rule for new DLL written to Windows Servicing ( #3062 )
2023-08-30 13:51:23 -03:00
6d7df50d78
[New Rule] Suspicious WMI Event Subscription Created ( #1860 )
...
* Suspicious WMI Event Subscription Initial rule
* Use EQL sequence
* Update non-ecs-schema
* Update persistence_sysmon_wmi_event_subscription.toml
* update description
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* update query too look for even code 21 only
* update to case sensitive compare
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml
* Update non-ecs-schema.json
* Update persistence_sysmon_wmi_event_subscription.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-29 16:42:19 -03:00
7004c99ef5
[New Rule] Unusual Process For MSSQL Service Accounts ( #3040 )
...
* [New Rule] Unusual Process For MSSQL Service Accounts
* Update initial_access_unusual_process_sql_accounts.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update collection_archive_data_zip_imageload.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update initial_access_unusual_process_sql_accounts.toml
* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
added "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-08-29 09:10:25 -03:00
22931d6afb
Update credential_access_lsass_openprocess_api.toml ( #3047 )
2023-08-28 16:22:08 +01:00
de32287889
[Rule Tuning] High Number of Process and/or Service Terminations ( #2940 )
2023-08-25 19:19:25 -03:00
a1716bd673
[Rule Tuning] Several rule tunings ( #3024 )
...
* [Rule Tuning] Several rule tunings
* Added 1 more
* optimized ransomware encryption rules
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml
* Added 2 more tunings based on todays telemetry
* Some tunings
* Tuning
* Tuning
* fixed user.id comparison
* Something went wrong with deprecation
* Something went wrong with deprecation
* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml
* Update rules/linux/discovery_linux_nping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/linux/discovery_linux_hping_activity.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Dedeprecated the rule to deprecate later
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-25 14:03:29 +02:00
17d0e5cda8
[Rule Tuning] Threat Intel Hash Indicator Match ( #3031 )
...
* Remove impash matches due to rate of false positives
* Update rules/cross-platform/threat_intel_indicator_match_hash.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-08-25 06:21:16 -03:00
9482bda414
Adding related integrations to ML rules ( #2972 )
...
* Adding related integrations to ML rules
* added adjustments to determine related integrations for ML rules
* fixed lint errors
* Empty commit
* Empty commit
* Empty commit
---------
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.lan >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Apoorva Joshi <apoorvajoshi@Apoorvas-MBP.fritz.box >
2023-08-22 14:39:18 -04:00
2ddcf7817e
[Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing ( #3025 )
...
* adding tuning to ignore windows update
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-22 13:04:25 -04:00
0c3b251208
[Rule Tuning] PowerShell Keylogging Script ( #3023 )
2023-08-22 07:45:00 -03:00
5e801b2edf
[Tuning] Improve Performance ( #2953 )
...
* [Tuning] Improve Performance
Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.
Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)
* Update privilege_escalation_suspicious_dnshostname_update.toml
* ++
* ++
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-21 16:23:34 +01:00
4f33a40f48
[Bug] Duplicate tag on Okta rule ( #3020 )
...
* Fix double tag on rule
* fixed all rules; added unit test
---------
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-08-21 10:42:47 -04:00
72f15dda6a
[New Rule] PowerShell Kerberos Ticket Dump ( #2967 )
...
* [New Rule] PowerShell Kerberos Ticket Dump
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-20 17:29:16 -03:00
b5e011a892
[Rule Tuning] Privileges Elevation via Parent Process PID Spoofing ( #2873 )
...
* Update privilege_escalation_via_ppid_spoofing.toml
* Update privilege_escalation_via_ppid_spoofing.toml
* bump date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-08-17 13:52:26 -03:00
9144dc0448
[New Rule] Building Block Rules - Part 2 ( #2923 )
...
* [New Rule] Building Block Rules - Part 2
* .
* Update rules_building_block/defense_evasion_dll_hijack.toml
* Update rules_building_block/defense_evasion_file_permission_modification.toml
* Update rules_building_block/discovery_posh_password_policy.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-17 13:00:50 -03:00
96e50be5a6
[Rule Tuning] Potential Masquerading as Communication Apps ( #2997 )
...
* [Rule Tuning] Potential Masquerading as Communication Apps
* Update defense_evasion_masquerading_communication_apps.toml
* Update persistence_run_key_and_startup_broad.toml
* CI
* Revert "CI"
This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
2023-08-16 09:34:21 -03:00
e938ed28a0
[Rule Tuning] added additional event action ( #3008 )
2023-08-10 16:59:07 +02:00
f500cec497
fixing typo in 127.0.0.1 address ( #3004 )
2023-08-08 17:06:26 +02:00
4cbfd7c4ae
[Rule Tuning] Restricted Shell Breakout ( #2999 )
2023-08-04 19:30:18 +02:00
e904ebb760
[New Rule] PE via Container Misconfiguration ( #2983 )
...
* [New Rule] PE via Container Misconfiguration
* fixed boolean comparison unit test error
* Update privilege_escalation_container_util_misconfiguration.toml
* Update rules/linux/privilege_escalation_container_util_misconfiguration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-04 16:39:40 +02:00
ef49709c7d
[New Rules] Linux Wildcard Injection ( #2973 )
...
* [New Rules] Linux Wildcard Injection
* Update rules/linux/privilege_escalation_chown_chmod_unauthorized_file_read.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_potential_wildcard_shell_spawn.toml
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-04 16:32:34 +02:00
c6eba3e4e6
[New Rule] Suspicious Symbolic Link Created ( #2969 )
...
* [New Rule] Suspicious Symbolic Link Created
* Update rules/linux/privilege_escalation_linux_suspicious_symbolic_link.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* fixed unit testing issues after suggestion commit
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 23:23:23 +02:00
4bcec3397c
[New Rule] Potential Suspicious DebugFS Root Device Access ( #2982 )
...
* [New Rule] Potential DebugFS Privilege Escalation
* Changed rule name
* Update rules/linux/privilege_escalation_sda_disk_mount_non_root.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 16:13:34 +02:00
207d94e51c
[New Rule] Potential Sudo Token Manipulation via Process Injection ( #2984 )
...
* [New Rule] Sudo Token Access via Process Injection
* [New Rule] Sudo Token Manipulation via Proc Inject
* Update rules/linux/privilege_escalation_sudo_token_via_process_injection.toml
* Update privilege_escalation_sudo_token_via_process_injection.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:58:25 +02:00
7cc841cc87
[New Rule] PE via UID INT_MAX Bug ( #2971 )
...
* [New Rule] PE via UID INT_MAX Bug
* changed file name
* Should be more decisive
* fix
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/linux/privilege_escalation_linux_uid_int_max_bug.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-08-03 15:51:06 +02:00
a7ff449fbc
[Rule Tuning] Some Tunings of several 8.9 rules ( #2985 )
...
* [Rule Tuning] Doing some quick tunings
* updated_date bump
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_modprobe_enumeration.toml
* Update rules/linux/discovery_linux_sysctl_enumeration.toml
* Update rules/linux/persistence_init_d_file_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_shared_object_creation.toml
* deprecate rule
* deprecate rule
* Update execution_abnormal_process_id_file_created.toml
* Update discovery_kernel_module_enumeration_via_proc.toml
* Update discovery_linux_modprobe_enumeration.toml
* Update execution_remote_code_execution_via_postgresql.toml
* Update discovery_potential_syn_port_scan_detected.toml
* Added 2 tunings, sorry I missed those..
* One more tune
* Update discovery_suspicious_proc_enumeration.toml
2023-08-03 15:25:33 +02:00
03110fb24c
[New Rule] SUID/SGUID Enumeration Detected ( #2956 )
...
* [New Rule] SUID/SGUID Enumeration Detected
* Remove endgame compatibility
* readded endgame support after troubleshooting
* Update discovery_suid_sguid_enumeration.toml
* Update rules/linux/discovery_suid_sguid_enumeration.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-08-03 09:57:30 +02:00
716b621af2
[New Rule] Potential Sudo Hijacking Detected ( #2966 )
...
* [New Rule] Potential Sudo Hijacking Detected
* Update privilege_escalation_sudo_hijacking.toml
2023-08-03 09:49:14 +02:00
Ruben Groenewoud