f8a7fe9cec
[Bug] Fix URL links in autogenerated security docs ( #3474 )
...
* added content() class method for guide and setup
* removed non-existent variable
* removed unnecessary newlines
* adjusted levels for titles
* reverting changes
* added method to convert markdown links to asciidoc
* adjusted regex to include trailing periods
* fixing linting errors
* adjusted regex pattern
* added content() class method for guide and setup
* stripped # out of investigation guide, setup or note
* adjusted formatting outcome
* changed function call
* fixed linting errors
* fixing auto-formatting for rule asciidoc
* fixing URL link removal
* fixing URL link removal
* removed strip() from string for setup
* fixed linting errors
* fixed linting errors
* adjusting code formatting for convert_markdown_to_asciidoc
(cherry picked from commit 8e0ca421ca
2024-02-23 21:55:30 +00:00
2312455d7a
[FR] Skip eql optimizations on parsing query for unique fields ( #3443 )
...
(cherry picked from commit 542053719b
2024-02-21 02:31:01 +00:00
c772b2a842
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3459 )
...
(cherry picked from commit 7815d23110
2024-02-20 17:32:25 +00:00
fb835e396d
[Tuning] Tuning Windows - 3 Rules ( #3388 )
...
* Update privilege_escalation_newcreds_logon_rare_process.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_make_token_local.toml
* Update privilege_escalation_create_process_with_token_unpriv.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 853e18950f
2024-02-20 16:01:52 +00:00
7adff8ebd2
[Tuning] Linux DR Tuning - Part 4 ( #3455 )
...
* [Tuning] Linux DR Tuning - Part 4
* Update defense_evasion_file_mod_writable_dir.toml
* Update defense_evasion_hidden_file_dir_tmp.toml
(cherry picked from commit 089e6671aa
2024-02-20 14:44:07 +00:00
24eea0e1e5
[Tuning] Event.dataset removal & Tag Addition ( #3451 )
...
* [Tuning] Removed event.dataset and added tag
* [Tuning] Removed event.dataset and added tag
* fixed typo
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 3484cac7eb
2024-02-20 14:23:44 +00:00
5af7ec1a4b
[Tuning] Linux DR Tuning - Part 3 ( #3454 )
...
(cherry picked from commit 5e6e4a359b
2024-02-20 13:56:14 +00:00
d09d0b0609
[Tuning] Linux DR Tuning - Part 1 ( #3452 )
...
* [Tuning] Linux DR Tuning - Part 1
* Update command_and_control_linux_tunneling_and_port_forwarding.toml
* Update command_and_control_cat_network_activity.toml
(cherry picked from commit 1dc7fd6a42
2024-02-20 13:44:07 +00:00
5b8b6c4450
[Tuning] Linux DR Tuning - Part 2 ( #3453 )
...
* [Tuning] Linux DR Tuning - Part 2
* Update defense_evasion_binary_copied_to_suspicious_directory.toml
* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
(cherry picked from commit 0e48747aa6
2024-02-20 13:22:50 +00:00
984f2a6fbf
[FR] NON_DATASET_PACKAGE list & Data Source tag for Auditd_manager ( #3430 )
...
* [FR] Add Auditd_Manager to NON_DATASET_PACKAGE
* Changed alphabetical order
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit a637bcec38
2024-02-19 08:42:19 +00:00
144754c8a5
[New] Suspicious Execution from INET Cache ( #3445 )
...
* Create initial_access_execution_from_inetcache.toml
* Update initial_access_execution_from_inetcache.toml
(cherry picked from commit 4809de6584
2024-02-15 19:19:30 +00:00
9c265abb41
[Rule Tuning] Windows BBR Tuning - 3 ( #3382 )
...
* [Rule Tuning] Windows BBR Tuning - 3
* Update defense_evasion_service_disabled_registry.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 5334601b6f
2024-02-14 18:06:02 +00:00
7758575430
[Rule Tuning] Windows BBR Tuning - 4 ( #3384 )
...
* [Rule Tuning] Windows BBR Tuning - 4
* Update discovery_system_time_discovery.toml
(cherry picked from commit 1a8271db2f
2024-02-14 17:26:31 +00:00
ba92fb7fde
[Rule Tuning] Windows BBR Tuning - 6 ( #3386 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit f233909e7d
2024-02-14 15:54:44 +00:00
a864d77e0a
[Rule Tuning] Windows BBR Tuning - 5 ( #3385 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 97e49795ab
2024-02-14 13:28:21 +00:00
0c0a5bdaad
[Rule Tuning] Windows BBR Tuning - 2 ( #3381 )
...
* [Rule Tuning] Windows BBR Tuning - 2
* Update defense_evasion_masquerading_windows_system32_exe.toml
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit ae00f30574
2024-02-14 13:03:47 +00:00
1f418fa9e5
[FR] Add New Kibana Schema Issue Template ( #3441 )
...
(cherry picked from commit df6dd09db4
2024-02-13 22:41:12 +00:00
bde05d63c6
[FR] Add support for Threshold Alert Suppression ( #3433 )
...
(cherry picked from commit c3ca01ebcc
2024-02-12 16:01:10 +00:00
00fe4c8283
[Bug] Adjust build-release CLI and fix links when generating security docs ( #3434 )
...
* removed historical argument; added setup string; fixed links
* fixing flake errors
* added types for command arguments
* adjusted get_release_diff to append strings for release tags
* set fetch-depth to 0 for integrations checkout in workflow
* changed the name of the workflow
* removed TODOs
* adjusted release docs workflow to remove prefix for release tags
* adjusted URL replacement only if pointed to docs site
* added elastic website to regex pattern
* add docstrings; adjusted regex; add note for stopgap
* added a note about the regex pattern for elastic URLs
(cherry picked from commit 06b97ec79b
2024-02-12 15:13:42 +00:00
934edfd618
Add the Zen of Security Rules to philosophy ( #3437 )
...
(cherry picked from commit 298d1bce0d
2024-02-09 19:52:03 +00:00
4ac56fbd40
[Rule Tuning] Suspicious Antimalware Scan Interface DLL ( #3432 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 21b559c97f
2024-02-08 09:32:22 +00:00
10d36f6872
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3431 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12
* Update detection_rules/etc/version.lock.json
* updated downloadable updates file to reconcile changes
* Removed spacing from downloadable updates file
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit 827dfa7327
2024-02-06 19:54:15 +00:00
7201490af1
[Bug] Update Prebuilt Detection Rules Release Process ( #3403 )
...
* release fleet workflow updates; build package integration reference changes
* updated commit hash extraction to output to env
* adjusted bump-pkg-versions to only include release if necessary
* fixed flake errors
* add historical argument for build-release set to yes by default
* Update detection_rules/devtools.py
* fixed fleet workflow; updated registry data references
* updated job names
* removed extract commit hash job and consolidated into fleet pr job
* added echo statement for current branch before checkout
* removed id from extract commit hash
(cherry picked from commit 7df7ab5101
2024-02-06 14:04:40 +00:00
e037d57c82
[New Rules] DDExec Analysis ( #3408 )
...
* [New Rules] DDExec Analysis
* Increased rule scope
* [New Rule] Dynamic Linker Discovery via od
* Revert "[New Rule] Dynamic Linker Discovery via od"
This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.
* [New Rule] Dynamic Linker Discovery via od
* [New Rule] Potential Memory Seeking Activity
* [New BBR] Suspicious Memory grep Activity
* Added endgame + auditd_manager support
* Removed auditd_manager support for now
* Removed auditd_manager support for now
* Update discovery_suspicious_memory_grep_activity.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit d41855a2ac
2024-02-06 13:53:27 +00:00
27b01ac788
[New Rule] Executable Masquerading as Kernel Process ( #3421 )
...
* [New Rule] Executable Masquerading as Kernel Proc
* Bumped dates
* Added endgame support
* Added auditd_manager support
* Removed auditd_manager support for now
(cherry picked from commit 90d64f0714
2024-02-06 09:54:53 +00:00
35dd5ad3c6
[New Rules] APT Package Manager Persistence ( #3418 )
...
* [New Rule] apt Package Manager Persistence
* [New Rules] APT Package Manager Persistence
* [New Rules] APT Package Manager Persistence
(cherry picked from commit 208b2e999c
2024-02-06 09:34:38 +00:00
8d3eed8d4d
[New Rule] Suspicious Network Connection via systemd ( #3420 )
...
* [New Rule] Network Connection via systemd
* Removed space from description
* Added updated query
(cherry picked from commit 4f303ab77e
2024-02-06 09:25:09 +00:00
66458bd33d
Update lateral_movement_remote_task_creation_winlog.toml ( #3419 )
...
(cherry picked from commit 6906a27c3a
2024-02-05 18:41:54 +00:00
67acfbae4d
[Rule Tuning] Windows BBR Tuning - 1 ( #3380 )
...
* [Rule Tuning] Windows BBR Tuning - 1
* .
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 8274f9a816
2024-02-05 15:52:57 +00:00
5edd21a169
[Rule Tuning] Startup or Run Key Registry Modification ( #3367 )
...
(cherry picked from commit edd3556b63
2024-02-05 15:33:38 +00:00
41ee5b7509
[New] Potential Enumeration via Active Directory Web Service ( #3416 )
...
* Create discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
* Update discovery_active_directory_webservice.toml
(cherry picked from commit 5a68ccfd0d
2024-02-02 14:24:50 +00:00
332afabf04
[Rule Tuning] Potential Modification of Accessibility Binaries ( #3401 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
(cherry picked from commit 50df6f3e9b
2024-02-01 14:32:00 +00:00
c8b1b59079
[Tuning] Suspicious File Downloaded from Google Drive ( #3411 )
...
* Update command_and_control_google_drive_malicious_file_download.toml
* Update command_and_control_google_drive_malicious_file_download.toml
* Update command_and_control_google_drive_malicious_file_download.toml
(cherry picked from commit 4c74588c00
2024-01-31 17:00:17 +00:00
50be89783c
[Tuning] DCSync Rules - 4662 event.action ( #3410 )
...
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_replication_rights.toml
(cherry picked from commit d7f4d7972e
2024-01-30 11:48:48 +00:00
bad1eff29b
[New Rule] Suspicious Passwd File Event Action ( #3396 )
...
* [New Rule] Suspicious Passwd File Event Action
* Description fix
* Pot. UT fix
* Pot. UT fix.
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit 381ccf43ed
2024-01-26 08:42:09 +00:00
c2eb386789
[New BBR] Reverse Connection through Port Knocking ( #3219 )
...
* [New BBR] Reverse Connection through Port Knocking
* Attempt to fix unit testing error
* Mitre list fix?
* Revert "Mitre list fix?"
This reverts commit 83682b8a58c2954911495d218392a33ee0615db2.
* Update command_and_control_linux_port_knocking_reverse_connection.toml
* Update command_and_control_linux_port_knocking_reverse_connection.toml
* Update rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml
* Update command_and_control_linux_port_knocking_reverse_connection.toml
* Update command_and_control_linux_port_knocking_reverse_connection.toml
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
(cherry picked from commit a66394c550
2024-01-24 15:35:55 +00:00
df82c11b4a
Lock versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 ( #3402 )
...
* Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12
* Update detection_rules/etc/version.lock.json
---------
Co-authored-by: terrancedejesus <terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
(cherry picked from commit d093336125
2024-01-23 21:42:17 +00:00
9ce2cdf675
[Rule Tuning] Windows DR Tuning - 15 ( #3377 )
...
* [Rule Tuning] Windows DR Tuning - 15
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update privilege_escalation_windows_service_via_unusual_client.toml
* Update defense_evasion_msbuild_making_network_connections.toml
(cherry picked from commit 92804343bc
2024-01-23 19:54:02 +00:00
c421546055
[Rule Tuning] Direct Outbound SMB Connection ( #3400 )
...
* [Rule Tuning] Direct Outbound SMB Connection
* Update lateral_movement_direct_outbound_smb_connection.toml
(cherry picked from commit e33389b2ef
2024-01-23 18:39:31 +00:00
7db74abede
[Rule Tuning] Host Files System Changes via Windows Subsystem for Linux ( #3398 )
...
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux
* Update defense_evasion_wsl_filesystem.toml
(cherry picked from commit e0bdb59deb
2024-01-22 21:53:12 +00:00
e1f10c70ba
removed query var; using is_sequence method; removed integration var ( #3395 )
...
(cherry picked from commit 164b7d4028
2024-01-22 20:28:29 +00:00
cfb4f1a013
[New Rules] UEBA GItHub BBRs and Rules ( #3174 )
...
* [New Rules] UEBA GItHub BBRs and Rules
A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.
* Update rules/integrations/github/impact_github_member_removed_from_organization.toml
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* edited BBR rules
-removed newly added member rule
* updated integration manifests and schemas
* Updated min_stack for some rules based on newest GitHub integration schema manifest
* testing min_stack bump to 8.8 for new fields
* removing offending rule to troubleshoot seperately
* added UEBA tags and created UEBA threshold rule
* updated non-ecs-schema to add signal.rule.tags
* updated non-ecs-schema with kibana.alert.workflow_status
* updated rule.threat.tactic
* added user.name to non-ecs-schema
* added quotes to kibana.alert.workflow_status value
* removed trailing space from rule name
* update tags and optimize query for UEBA threshold rule
* removed integration field from Higher-Order rule
* Apply suggestions from code review
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* adjusted new_terms order and rule types based on review feedback
* Apply suggestions from code review
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* remove user.name from detection_rules/etc/non-ecs-schema.json
* fix json formatting
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 442435830f
2024-01-22 17:53:42 +00:00
cdbf64d360
[New Rule] Potential Buffer Overflow Attack Detected ( #3312 )
...
* [New Rule] Potential Buffer Overflow Attack
* Added timestamp_override
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
(cherry picked from commit 48d8b650e5
2024-01-22 15:34:03 +00:00
ebd743efd5
[New Rule] Chroot Container Escape via Mount ( #3387 )
...
* [New Rule] Chroot Container Escape via Mount
* description fix
(cherry picked from commit ec5f4d596c
2024-01-22 08:23:26 +00:00
0a6ad4adc3
[Security Content] Add Investigation Guides to Linux Persistence Rules - 2 ( #3350 )
...
* [Security Content] Add IGs to Persistence - 2
* [Security Content] Add IGs to Persistence - 2
* fixes
* fix
* added ig note
(cherry picked from commit 26747aa8a4
2024-01-20 18:41:48 +00:00
8a80d74136
[FR] Update Validate Integrations to Check Fields Across All Schema Variations ( #3372 )
...
(cherry picked from commit a873abbb5b
2024-01-18 21:47:51 +00:00
8a2475b5e3
Linux Process Capabilities Enrichment Detection Rules ( #3366 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com
(cherry picked from commit 1a2ef4b867
2024-01-18 17:24:51 +00:00
7367f37584
[Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field ( #3368 )
...
* updated timestamp override unit test; fixed rules missing this field
* fixed flake error
* simplified and consolidated logic
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* added comments
* updated logic; added comments; removed unused variables
* removed custom python script
* updated dates
* removed deprecated rule change
* updated dates
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
(cherry picked from commit 1c10c37468
2024-01-17 19:20:19 +00:00
652acc0f07
[Rule Tuning] Windows DR Tuning - 12 ( #3364 )
...
(cherry picked from commit f6ba12a700
2024-01-17 16:24:30 +00:00
5d9277280c
[Tuning] Add logs-system. index where applicable ( #3390 )
...
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update initial_access_suspicious_ms_office_child_process.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update initial_access_suspicious_ms_exchange_process.toml
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update impact_volume_shadow_copy_deletion_via_powershell.toml
* Update execution_from_unusual_path_cmdline.toml
* Update execution_enumeration_via_wmiprvse.toml
* Update execution_command_shell_started_by_svchost.toml
* Update discovery_enumerating_domain_trusts_via_nltest.toml
* Update discovery_enumerating_domain_trusts_via_dsquery.toml
* Update defense_evasion_workfolders_control_execution.toml
* Update defense_evasion_iis_httplogging_disabled.toml
* Update defense_evasion_enable_inbound_rdp_with_netsh.toml
* Update defense_evasion_disabling_windows_logs.toml
* Update credential_access_wireless_creds_dumping.toml
* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
* Update credential_access_iis_connectionstrings_dumping.toml
* Update command_and_control_remote_file_copy_desktopimgdownldr.toml
* Update command_and_control_remote_file_copy_mpcmdrun.toml
* Update command_and_control_dns_tunneling_nslookup.toml
* Update persistence_webshell_detection.toml
* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml
* Update privilege_escalation_named_pipe_impersonation.toml
* Update command_and_control_certreq_postdata.toml
* Update defense_evasion_suspicious_certutil_commands.toml
* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update persistence_system_shells_via_services.toml
* Update execution_suspicious_cmd_wmi.toml
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update credential_access_dump_registry_hives.toml
* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_event_logs.toml
* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update defense_evasion_execution_control_panel_suspicious_args.toml
* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update discovery_adfind_command_activity.toml
* Update initial_access_suspicious_ms_outlook_child_process.toml
* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml
* Update privilege_escalation_uac_bypass_event_viewer.toml
* Update privilege_escalation_uac_bypass_mock_windir.toml
* Update privilege_escalation_unusual_parentchild_relationship.toml
* Update privilege_escalation_unusual_printspooler_childprocess.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_unusual_dir_ads.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Update discovery_admin_recon.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update lateral_movement_alternate_creds_pth.toml
* Update persistence_via_windows_management_instrumentation_event_subscription.toml
* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml
* Update persistence_via_application_shimming.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_msbuild_started_by_script.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml
* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update discovery_adfind_command_activity.toml
* Update defense_evasion_execution_msbuild_started_unusal_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update initial_access_suspicious_ms_exchange_worker_child_process.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
* Update execution_command_shell_started_by_svchost.toml
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
(cherry picked from commit 27262a585b
2024-01-17 13:55:24 +00:00
Terrance DeJesus