security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,889 Commits 1 Branch 0 Tags
fa13b92acad87f771c8b0a89cec626b39b24e8ac
Commit Graph

1368 Commits

Author SHA1 Message Date
Ruben Groenewoud fa13b92aca [Tuning] Linux DR Tuning - Part 5 (#3456) 
* [Tuning] Linux DR Tuning - Part 6

* Update discovery_dynamic_linker_via_od.toml

* Update discovery_esxi_software_via_find.toml

* Update discovery_esxi_software_via_grep.toml

* Update discovery_linux_hping_activity.toml

* Update discovery_linux_nping_activity.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit ae3f4737ab)
 2024-03-07 08:59:03 +00:00
Ruben Groenewoud 1136d2f3c7 [Tuning] Auditbeat event.action Compatibility (#3471) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 83abf8d42c)
 2024-03-06 14:33:41 +00:00
Ruben Groenewoud 2bd89801ee [BBR Promotion] Linux BBR --> DR Promotion (#3472) 
* [BBR Promotion] Linux BBR --> DR Promotion

* [BBR Promotion] Linux BBR --> DR Promotion

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 5a80423003)
 2024-03-06 13:54:31 +00:00
sbousseaden fc6c50418b [Tuning] Tuning Windows - 3 Rules (#3388) 
* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 853e18950f)
 2024-02-20 16:01:23 +00:00
Ruben Groenewoud a04dfbd1ef [Tuning] Linux DR Tuning - Part 4 (#3455) 
* [Tuning] Linux DR Tuning - Part 4

* Update defense_evasion_file_mod_writable_dir.toml

* Update defense_evasion_hidden_file_dir_tmp.toml

(cherry picked from commit 089e6671aa)
 2024-02-20 14:43:36 +00:00
Ruben Groenewoud 3183bfea23 [Tuning] Event.dataset removal & Tag Addition (#3451) 
* [Tuning] Removed event.dataset and added tag

* [Tuning] Removed event.dataset and added tag

* fixed typo

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

Removed changes from:
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml

(selectively cherry picked from commit 3484cac7eb)
 2024-02-20 14:23:14 +00:00
Ruben Groenewoud bfe1fd6b20 [Tuning] Linux DR Tuning - Part 3 (#3454) 
(cherry picked from commit 5e6e4a359b)
 2024-02-20 13:55:44 +00:00
Ruben Groenewoud aefebccc06 [Tuning] Linux DR Tuning - Part 1 (#3452) 
* [Tuning] Linux DR Tuning - Part 1

* Update command_and_control_linux_tunneling_and_port_forwarding.toml

* Update command_and_control_cat_network_activity.toml

(cherry picked from commit 1dc7fd6a42)
 2024-02-20 13:43:33 +00:00
Ruben Groenewoud 24d4da7b5d [Tuning] Linux DR Tuning - Part 2 (#3453) 
* [Tuning] Linux DR Tuning - Part 2

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml

(cherry picked from commit 0e48747aa6)
 2024-02-20 13:22:16 +00:00
Samirbous 1192e62006 [New] Suspicious Execution from INET Cache (#3445) 
* Create initial_access_execution_from_inetcache.toml

* Update initial_access_execution_from_inetcache.toml

(cherry picked from commit 4809de6584)
 2024-02-15 19:19:02 +00:00
Jonhnathan 9577e2a4d8 [Rule Tuning] Windows BBR Tuning - 5 (#3385) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 97e49795ab)
 2024-02-14 13:27:51 +00:00
Jonhnathan adcf721ae3 [Rule Tuning] Windows BBR Tuning - 2 (#3381) 
* [Rule Tuning] Windows BBR Tuning - 2

* Update defense_evasion_masquerading_windows_system32_exe.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit ae00f30574)
 2024-02-14 13:03:13 +00:00
Jonhnathan d8dfbeade4 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#3432) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 21b559c97f)
 2024-02-08 09:31:50 +00:00
Ruben Groenewoud fa29e4b2b1 [New Rules] DDExec Analysis (#3408) 
* [New Rules] DDExec Analysis

* Increased rule scope

* [New Rule] Dynamic Linker Discovery via od

* Revert "[New Rule] Dynamic Linker Discovery via od"

This reverts commit c58595b77f517d3f236a64a52c38804253db64cc.

* [New Rule] Dynamic Linker Discovery via od

* [New Rule] Potential Memory Seeking Activity

* [New BBR] Suspicious Memory grep Activity

* Added endgame + auditd_manager support

* Removed auditd_manager support for now

* Removed auditd_manager support for now

* Update discovery_suspicious_memory_grep_activity.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d41855a2ac)
 2024-02-06 13:52:48 +00:00
Ruben Groenewoud 1db9de76b0 [New Rule] Executable Masquerading as Kernel Process (#3421) 
* [New Rule] Executable Masquerading as Kernel Proc

* Bumped dates

* Added endgame support

* Added auditd_manager support

* Removed auditd_manager support for now

(cherry picked from commit 90d64f0714)
 2024-02-06 09:54:24 +00:00
Ruben Groenewoud 103fa8d34a [New Rules] APT Package Manager Persistence (#3418) 
* [New Rule] apt Package Manager Persistence

* [New Rules] APT Package Manager Persistence

* [New Rules] APT Package Manager Persistence

(cherry picked from commit 208b2e999c)
 2024-02-06 09:34:07 +00:00
Ruben Groenewoud 6276d635b8 [New Rule] Suspicious Network Connection via systemd (#3420) 
* [New Rule] Network Connection via systemd

* Removed space from description

* Added updated query

(cherry picked from commit 4f303ab77e)
 2024-02-06 09:24:36 +00:00
Samirbous 3a3245f872 Update lateral_movement_remote_task_creation_winlog.toml (#3419) 
(cherry picked from commit 6906a27c3a)
 2024-02-05 18:41:20 +00:00
Jonhnathan 59bb8e5ce0 [Rule Tuning] Windows BBR Tuning - 1 (#3380) 
* [Rule Tuning] Windows BBR Tuning - 1

* .

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 8274f9a816)
 2024-02-05 15:52:27 +00:00
Jonhnathan f58d793dca [Rule Tuning] Startup or Run Key Registry Modification (#3367) 
(cherry picked from commit edd3556b63)
 2024-02-05 15:33:05 +00:00
Samirbous 509ba1bf06 [New] Potential Enumeration via Active Directory Web Service (#3416) 
* Create discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

(cherry picked from commit 5a68ccfd0d)
 2024-02-02 14:24:18 +00:00
Jonhnathan e626ee0a2b [Rule Tuning] Potential Modification of Accessibility Binaries (#3401) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 50df6f3e9b)
 2024-02-01 14:31:32 +00:00
Samirbous 5d3b231e14 [Tuning] Suspicious File Downloaded from Google Drive (#3411) 
* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update command_and_control_google_drive_malicious_file_download.toml

(cherry picked from commit 4c74588c00)
 2024-01-31 16:59:42 +00:00
Samirbous 74182d5dfa [Tuning] DCSync Rules - 4662 event.action (#3410) 
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml

(cherry picked from commit d7f4d7972e)
 2024-01-30 11:48:19 +00:00
Ruben Groenewoud ea7c83522b [New Rule] Suspicious Passwd File Event Action (#3396) 
* [New Rule] Suspicious Passwd File Event Action

* Description fix

* Pot. UT fix

* Pot. UT fix.

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 381ccf43ed)
 2024-01-26 08:41:41 +00:00
Jonhnathan d121e74a3e [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml

(cherry picked from commit 92804343bc)
 2024-01-23 19:53:28 +00:00
Jonhnathan 9f18adfdb1 [Rule Tuning] Direct Outbound SMB Connection (#3400) 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b2ef)
 2024-01-23 18:38:50 +00:00
Jonhnathan 4c9a6b1dcc [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux (#3398) 
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux

* Update defense_evasion_wsl_filesystem.toml

(cherry picked from commit e0bdb59deb)
 2024-01-22 21:52:44 +00:00
Isai f0028e1457 [New Rules] UEBA GItHub BBRs and Rules (#3174) 
* [New Rules] UEBA GItHub BBRs and Rules

A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules.

* Update rules/integrations/github/impact_github_member_removed_from_organization.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* edited BBR rules

-removed newly added member rule

* updated integration manifests and schemas

* Updated min_stack for some rules based on newest GitHub integration schema manifest

* testing min_stack bump to 8.8 for new fields

* removing offending rule to troubleshoot seperately

* added UEBA tags and created UEBA threshold rule

* updated non-ecs-schema to add signal.rule.tags

* updated non-ecs-schema with kibana.alert.workflow_status

* updated rule.threat.tactic

* added user.name to non-ecs-schema

* added quotes to kibana.alert.workflow_status value

* removed trailing space from rule name

* update tags and optimize query for UEBA threshold rule

* removed integration field from Higher-Order rule

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* adjusted new_terms order and rule types based on review feedback

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* remove user.name from detection_rules/etc/non-ecs-schema.json

* fix json formatting

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit 442435830f)
 2024-01-22 17:53:12 +00:00
Ruben Groenewoud 1160a91bb9 [New Rule] Potential Buffer Overflow Attack Detected (#3312) 
* [New Rule] Potential Buffer Overflow Attack

* Added timestamp_override

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

* Update rules/linux/privilege_escalation_potential_bufferoverflow_attack.toml

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>

(cherry picked from commit 48d8b650e5)
 2024-01-22 15:33:29 +00:00
Ruben Groenewoud 469ddddafd [New Rule] Chroot Container Escape via Mount (#3387) 
* [New Rule] Chroot Container Escape via Mount

* description fix

(cherry picked from commit ec5f4d596c)
 2024-01-22 08:22:54 +00:00
Ruben Groenewoud 9ea63f9381 [Security Content] Add Investigation Guides to Linux Persistence Rules - 2 (#3350) 
* [Security Content] Add IGs to Persistence - 2

* [Security Content] Add IGs to Persistence - 2

* fixes

* fix

* added ig note

(cherry picked from commit 26747aa8a4)
 2024-01-20 18:41:15 +00:00
Terrance DeJesus 869988c20f [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

(selectively cherry picked from commit 1c10c37468)
 2024-01-17 19:19:45 +00:00
Jonhnathan 11c929f019 [Rule Tuning] Windows DR Tuning - 12 (#3364) 
(cherry picked from commit f6ba12a700)
 2024-01-17 16:24:02 +00:00
sbousseaden c6725b5642 [Tuning] Add logs-system. index where applicable (#3390) 
* Update discovery_adfind_command_activity.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update initial_access_suspicious_ms_office_child_process.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update initial_access_suspicious_ms_exchange_process.toml

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update execution_from_unusual_path_cmdline.toml

* Update execution_enumeration_via_wmiprvse.toml

* Update execution_command_shell_started_by_svchost.toml

* Update discovery_enumerating_domain_trusts_via_nltest.toml

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

* Update defense_evasion_workfolders_control_execution.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* Update defense_evasion_disabling_windows_logs.toml

* Update credential_access_wireless_creds_dumping.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_dns_tunneling_nslookup.toml

* Update persistence_webshell_detection.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update privilege_escalation_named_pipe_impersonation.toml

* Update command_and_control_certreq_postdata.toml

* Update defense_evasion_suspicious_certutil_commands.toml

* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update persistence_system_shells_via_services.toml

* Update execution_suspicious_cmd_wmi.toml

* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update discovery_adfind_command_activity.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_unusual_dir_ads.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update discovery_admin_recon.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update lateral_movement_alternate_creds_pth.toml

* Update persistence_via_windows_management_instrumentation_event_subscription.toml

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update persistence_via_application_shimming.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update discovery_adfind_command_activity.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 27262a585b)
 2024-01-17 13:54:51 +00:00
Jonhnathan 91ee5caf94 [Rule Tuning] Windows DR Tuning - 13 (#3369) 
(cherry picked from commit 71cec2a0e1)
 2024-01-17 12:58:32 +00:00
Jonhnathan b1c8876c53 [Rule Tuning] Windows DR Tuning - 10 (#3355) 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294627)
 2024-01-17 12:49:05 +00:00
Ruben Groenewoud bf71869f01 [New Rule] Network Connection via Sudo Binary (#3389) 
* [New Rule] Network Connection via Sudo Binary

* description grammar fix

(cherry picked from commit 4301dacfb8)
 2024-01-17 08:52:39 +00:00
Ruben Groenewoud ab977df20d [New Rule] Kernel Driver Load by non-root User (#3378) 
* [New Rule] Kernel Driver Load by non-root User

* setup note change

* removed unnecessary index

(cherry picked from commit a9285445cf)
 2024-01-17 08:40:55 +00:00
Jonhnathan 753578f336 [Rule Tuning] Windows DR Tuning - 14 (#3376) 
* [Rule Tuning] Windows DR Tuning - 14

* Update persistence_suspicious_com_hijack_registry.toml

* Update rules/windows/persistence_webshell_detection.toml

(cherry picked from commit 0469785793)
 2024-01-15 14:20:48 +00:00
Jonhnathan 336dba7d05 [Rule Tuning] Windows DR Tuning - 11 (#3359) 
* [Rule Tuning] Windows DR Tuning - 10

* Update execution_posh_hacktool_functions.toml

* Update impact_backup_file_deletion.toml

(cherry picked from commit caf38fd1b1)
 2024-01-15 14:00:57 +00:00
shashank-elastic 3302d03900 Linux Rule Tuning (#3379) 
(cherry picked from commit 24d5528ab0)
 2024-01-11 12:41:49 +00:00
Ruben Groenewoud 19c6cbf075 [Rule Tuning] Dynamic Linker Copy (#3349) 
(cherry picked from commit df86882036)
 2024-01-08 10:01:10 +00:00
Ruben Groenewoud 14faea2175 [Rule Tuning] Linux cross-platform DRs (#3346) 
(cherry picked from commit 788e2b2823)
 2024-01-08 09:48:51 +00:00
Ruben Groenewoud e95745664f [Rule Tuning] Linux DR Tuning - Part 3 (#3322) 
* [Rule Tuning] Linux DR Tuning - Part 3

* small fix

* typo

* coffee

* Update persistence_cron_job_creation.toml

* Update persistence_shared_object_creation.toml

(cherry picked from commit 6c91c1597d)
 2024-01-08 09:21:32 +00:00
Ruben Groenewoud 629e4475f1 [Rule Tuning] Linux DR Tuning - Part 2 (#3321) 
* [Rule Tuning] Linux DR Tuning - Part 2

* [Rule Tuning] Linux DR Tuning - Part 2

* fix

* Update execution_shell_suspicious_parent_child_revshell_linux.toml

(cherry picked from commit 36226e5428)
 2024-01-08 09:12:16 +00:00
Ruben Groenewoud db58d0c5f2 [Rule Tuning] Linux DR Tuning - Part 1 (#3316) 
* [Rule Tuning] Linux DR Tuning - Part 1

* fix

* Update command_and_control_linux_kworker_netcon.toml

* Update defense_evasion_binary_copied_to_suspicious_directory.toml

* Update defense_evasion_file_mod_writable_dir.toml

(cherry picked from commit b533642272)
 2024-01-08 08:55:01 +00:00
Jonhnathan d435ab7c44 [Rule Tuning] Windows DR Tuning - 9 (#3354) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 724e34ba95)
 2024-01-07 12:56:05 +00:00
Isai ba6cfc9d6b [Tuning] Update min_stack for container rules new ecs field (#3370) 
* Update privilege_escalation_mount_launched_inside_a_privileged_container.toml

update min_stack and comments

* Update privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

update min_stack and comments

(cherry picked from commit a0f82c3f12)
 2024-01-05 23:47:14 +00:00
Isai 5e57d440ed [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container (#3241) 
* [New Rule] File System Debugger ‘debugfs’ Launched Inside a Privileged Container

This rule detects the use of the built-in Linux DebugFS utility from inside a privileged container. DebugFS is a special
file system debugging utility which supports reading and writing directly from a hard drive device. When launched inside
a privileged container, a container deployed with all the capabilities of the host machine, an attacker can access
sensitive host level files which could be used for further privilege escalation and container escapes to the host
machine.

* added references

* Apply suggestions from code review

* Update rules/integrations/cloud_defend/privilege_escalation_debugfs_launched_inside_a_privileged_container.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Apply suggestions from code review

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 10b241dcc5)
 2024-01-05 15:33:00 +00:00