ff3f66cacf
[Rule Tuning] AWS S3 Object Versioning Suspended ( #3953 )
2024-08-02 13:36:11 -03:00
dfdc214be8
[New Rule] Potential Relay Attack against a Domain Controller ( #3928 )
...
* [New Rule] Potential Relay Attack against a Domain Controller
* Update credential_access_dollar_account_relay.toml
* Move to the correct folder
2024-08-02 13:03:20 -03:00
8d3ec2b8a3
[Rule Tuning] Sensitive Registry Hive Access via RegBack ( #3947 )
...
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2024-08-01 14:06:08 -03:00
485312d5f2
[Rule Tuning] System Binary Moved or Copied ( #3933 )
2024-08-01 18:47:58 +02:00
62982f9d8c
[New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User ( #3910 )
...
* [New Rule] AWS IAM CompromisedKeyQuarantine Policy Attached to User
* increased severity score
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-08-01 00:30:02 -04:00
f2eb78219c
[New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time ( #3923 )
...
* [New Rule] AWS IAM User or Role Created Cloudformation Stack for First Time
* Update discovery_new_terms_sts_getcalleridentity.toml
* Update execution_new_terms_ec2_instance_cloudformation_createstack.toml
* Update rules/integrations/aws/execution_new_terms_ec2_instance_cloudformation_createstack.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* rule name change, removed ec2
* Update rules/integrations/aws/execution_new_terms_cloudformation_createstack.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-07-31 16:55:49 -04:00
1b58d0640b
[New Rule] AWS EC2 Instance Console Login via Assumed Role ( #3922 )
...
* [New Rule] AWS EC2 Instance Console Login via Assumed Role
* added reference for custom url creation
* added STS tag
* added event.provider to query
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-31 15:52:59 -04:00
a28af59d02
[New Rule] AWS EC2 Instance Interaction with IAM Service ( #3920 )
...
* [New Rule] AWS EC2 Instance Interaction with IAM Service
* Update rules/integrations/aws/persistence_ec2_instance_request_to_iam_service.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-31 15:44:02 -04:00
65cacb4960
[New Rule] Potential Active Directory Replication User Backdoor ( #3014 )
...
* [New Rule] Potential Active Directory Replication User Backdoor
* Update credential_access_dcsync_user_backdoor.toml
* Update rules/windows/credential_access_dcsync_user_backdoor.toml
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
* Update rules/windows/credential_access_dcsync_user_backdoor.toml
* Update rules/windows/credential_access_dcsync_user_backdoor.toml
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2024-07-31 12:02:34 -03:00
134b842361
[Rule Tuning] Removed Endgame from Incompatible Rules ( #3931 )
...
* [Rule Tuning] Removed Endgame from Incompatible Rules
* ++
2024-07-31 09:26:38 +02:00
823e8fd140
Lock versions for releases: 8.10,8.11,8.12,8.13,8.14,8.15 ( #3926 )
2024-07-25 18:38:08 +05:30
dce5bbd904
Update Rule minstack ( #3925 )
2024-07-25 17:45:55 +05:30
f3b0dc1954
Prep for next release 8.16 ( #3919 )
2024-07-24 11:19:56 -04:00
896946ad1b
[New Rule] Active Directory Forced Authentication from Linux Host - SMB Named Pipes ( #3917 )
...
* [New Rule] Active Directory Forced Authentication from Linux Host via SMB Pipes
* Update credential_access_forced_authentication_pipes.toml
* Update rules/cross-platform/credential_access_forced_authentication_pipes.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-24 12:01:10 -03:00
baee89de9b
Revert "Prep for next release 8.16 ( #3914 )"
...
This reverts commit 4245a815d2
2024-07-23 14:06:04 -04:00
4245a815d2
Prep for next release 8.16 ( #3914 )
...
* Prep for Release 8.16
* Add subscription
* Remove double subscription
* Formatting
* Formatting
* Revert Beaconing rules minstack and lock version
2024-07-23 13:04:03 -04:00
03c99d22d3
Revert "Prep for Release 8.16 ( #3913 )"
...
This reverts commit 01135085f6
2024-07-23 09:50:04 -05:00
01135085f6
Prep for Release 8.16 ( #3913 )
2024-07-23 09:42:26 -05:00
5536a78d89
[New Rule] Potential WSUS Abuse for Lateral Movement ( #3908 )
...
* [New Rule] Potential WSUS Abuse for Lateral Movement
* Update lateral_movement_via_wsus_update.toml
* Update lateral_movement_via_wsus_update.toml
2024-07-22 17:04:08 -03:00
6bc1913473
[Rule Tuning] PowerShell Rules ( #3903 )
2024-07-22 08:39:40 -03:00
a71bbe0cf8
[Rule Tuning] Misc. DR Rule Tuning - Part 2 ( #3905 )
...
* [Rule Tuning] Misc. DR Rule Tuning - Part 2
* ++
* Update privilege_escalation_suspicious_uid_guid_elevation.toml
* Update rules/linux/persistence_systemd_service_creation.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-19 15:21:35 +02:00
76fdd549a3
[Rule Tuning] Misc. DR Rule Tuning ( #3904 )
...
* [Rule Tuning] Misc. DR Rule Tuning
* Update execution_unknown_rwx_mem_region_binary_executed.toml
* Update command_and_control_suspicious_network_activity_from_unknown_executable.toml
* I love KQL validation
2024-07-19 15:13:42 +02:00
322162f097
[New Rule] AWS S3 Bucket Replicated to Another Account ( #3895 )
2024-07-18 22:52:39 -04:00
e9cb2228e6
[New Rule] AWS S3 Object Versioning Suspended ( #3894 )
...
* [New Rule] AWS S3 Object Versioning Suspended
* description spacing changes
* update description
2024-07-18 22:14:46 -04:00
80f85cff4d
[New Rule] AWS S3 Bucket Server Access Logging Disabled ( #3892 )
...
* [New Rule] AWS S3 Bucket Server Access Logging Disabled
* changed severity from low to medium
2024-07-18 18:28:19 -04:00
6ac278df0c
[tuning] Connection to Commonly Abused Web Services ( #3901 )
...
* Update command_and_control_common_webservices.toml
* Update command_and_control_common_webservices.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-18 09:59:53 -03:00
1384742f07
[New Rule] Service DACL Modification via sc.exe ( #3900 )
...
* [New Rule] Service DACL Modification via sc.exe
* Update defense_evasion_sc_sdset.toml
* Update defense_evasion_sc_sdset.toml
2024-07-17 19:39:50 -03:00
39350847d6
[New Rules] Git Hook execution/netcon ( #3896 )
...
* [New Rules] Git Hook execution/netcon
* TImestamp formatting change
* Update rules/linux/persistence_git_hook_netcon.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2024-07-17 15:28:37 +02:00
83d6eeb844
[New Rule] RPM Package Installed by Unusual Parent Process ( #3882 )
...
* [New Rule] RPM Package Installed by Unusual Parent Process
* Update persistence_rpm_package_installation_from_unusual_parent.toml
* Update persistence_rpm_package_installation_from_unusual_parent.toml
2024-07-17 15:12:17 +02:00
8c5910b1a6
[New Rule] Unsafe Docker Container Creation ( #3884 )
...
* [New Rule] Unsafe Docker Container Creation
* Update execution_potentially_overly_permissive_container_creation.toml
* Update execution_potentially_overly_permissive_container_creation.toml
* Update execution_potentially_overly_permissive_container_creation.toml
2024-07-17 15:03:07 +02:00
e5d08a2c38
[Rule Tuning] Updated setup guide ( #3885 )
...
* [Rule Tuning] Updated setup guide
* Update persistence_user_or_group_creation_or_modification.toml
* Update rules/linux/persistence_user_or_group_creation_or_modification.toml
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
* Update rules/linux/persistence_user_or_group_creation_or_modification.toml
---------
Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com >
2024-07-17 14:39:38 +02:00
eca7185901
Remove Rule:Promotion labels and add other relavent labels ( #3902 )
2024-07-17 17:41:05 +05:30
56e8e059b6
[New Rules] Docker Entrypoint Netcon / Nsenter Escape ( #3883 )
...
* [New Rules] Docker entrypoint netcon / nsenter escape
* ++
* Update privilege_escalation_docker_escape_via_nsenter.toml
* Update privilege_escalation_docker_escape_via_nsenter.toml
* Better description formatting
* Update execution_egress_connection_from_entrypoint_in_container.toml
* Update privilege_escalation_docker_escape_via_nsenter.toml
2024-07-15 13:07:36 +02:00
82a0cc80a7
[New Rules] DPKG Execution/Installation ( #3879 )
...
* [New Rules] DPKG Execution/Installation
* Update rules/linux/persistence_dpkg_package_installation_from_unusual_parent.toml
* Update persistence_dpkg_package_installation_from_unusual_parent.toml
* Update persistence_dpkg_unusual_execution.toml
* Update persistence_dpkg_unusual_execution.toml
2024-07-15 12:59:03 +02:00
ffb68174f9
[Rule Tuning] Suspicious DLL Loaded for Persistence or Privilege Escalation ( #3887 )
2024-07-15 06:41:45 -03:00
2110ad53f0
[FR] Support new_terms schema import/export w/custom format ( #3890 )
...
* [FR] Support new_terms schema import/export w/custom format
* fix formatter for filters
* handle both rule formats when parsing data view
2024-07-12 17:17:09 -05:00
bd345d4c19
[Bug] Hunting - Add UTF-8 Encoding for all Read and Write Operations ( #3886 )
...
* adding utf-8 flags
* reverted open() to read_text with encoding flag
* changed ticks
* changed ticks
2024-07-11 18:07:14 -04:00
361e97a256
[FR] Add API auth to Kibana module ( #3815 )
...
* [FR] Add API auth to Kibana module
* update make file to properly install all deps
* Bump Kibana Version
---------
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: eric-forte-elastic <eric.forte@elastic.co >
Co-authored-by: Eric Forte <119343520+eric-forte-elastic@users.noreply.github.com >
2024-07-11 17:19:41 -04:00
44658ea5f6
[Rule Tunings] Change from to prevent double alerts ( #3868 )
2024-07-11 13:02:10 -04:00
f0ab897f99
[Rule Tunings] AWS Administrator Access Policy Attached Rules ( #3867 )
...
* [Tuning] AWS Administrator Access Policy Attached Rules
* change lookback to prevent overlap
* changed from to now-6m
2024-07-11 12:49:03 -04:00
80ac2794f2
[Rule BugFix] Google Workspace Oauth2 new app ( #3436 )
...
* [Rule BugFix] Google Workspace Oauth2 new app
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
* [Rule BugFix] Google Workspace Oauth2 new app update (#3436 )
In our extended testing the changed rule with latest Google Workspace
integration generates the following errors which make the rule fail everytime:
```
unsupported_operation_exception: [wildcard] queries are not currently supported on keyed [flattened] fields.
```
After careful investigation this happens since the field google_workspace.token.scope.data is a flattened
JSON filed that contains one or more key/value pairs and ES does not support wildcard matches withing flattened
fields as the error suggests.
We instead query the whole field (that contains the flattened fields) with the wildcard characters and achieve
the same outcome without the error.
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2024-07-11 10:45:17 -04:00
21485b16fa
[Tuning & Changes] Misc rule/hunt tuning ( #3875 )
...
* [Tuning & Changes] Misc rule/hunt tuning
* Bump update_date
* ++
* Updated docs
2024-07-11 14:55:33 +02:00
c62321f810
[FR] Detection Rule PR Guidelines and Issue Forms ( #3850 )
2024-07-10 17:18:45 -05:00
59a10be7c8
Unit Test to validate from field in toml file ( #3866 )
2024-07-10 22:41:53 +05:30
70411664cf
[Bug] Normalize Hunting Index Link Generation ( #3872 )
...
* normalizing hunting link generation
* replacing header
* adjusting quotes in f-strings
* added source file to metadata
* removed os dependency
* address bug in source file links
* reverting TOML loading
* change all List type hinting to list
* change all List type hinting to list
* fixed accented characters in queries
* reverted accent character removal; moved macos query and MD to macos folder
2024-07-10 11:01:59 -04:00
6e7ece4384
[Rule Tuning] Fix event.action conditions - AD Rules ( #3874 )
2024-07-10 10:33:14 -03:00
b303b8296b
[Rule Tuning] LSASS Memory Dump Creation ( #3810 )
...
* Update rule exclusion with process executable path for Windows Fault Reporting binary, WerFaultSecure.exe.
---------
Co-authored-by: Andrei Rediu <andrei.rediu@bit-sentinel.com >
2024-07-10 06:12:38 -05:00
ec6038b9d9
Added Schema Check for Data View ID and Index ( #3830 )
2024-07-09 15:05:12 -04:00
6a28881b5f
Lock versions for releases: 8.9,8.10,8.11,8.12,8.13,8.14 ( #3880 )
2024-07-09 19:13:24 +05:30
b66d6e06aa
Fix Double Bump For Rule Microsoft Management Console File from Unusual Path ( #3878 )
2024-07-09 17:59:51 +05:30
Jonhnathan