This website requires JavaScript.
5653190d08
[Rule Tuning] Remove hardcoded logic from description (#4503 )
2025-02-28 14:38:18 -03:00
06002cd9ac
[New Rule] Kill Command Execution (#4485 )
2025-02-28 11:26:50 +01:00
9bb3b9f204
[New Rule] Unusual File Transfer Utility Launched (#4487 )
2025-02-28 11:15:21 +01:00
029fd45bb1
[New Rule] Base64 Decoded Payload Piped to Interpreter (#4488 )
2025-02-28 11:01:52 +01:00
a2a120858f
[New Rule] Unusual Base64 Encoding/Decoding Activity (#4486 )
2025-02-28 10:09:48 +01:00
8c250db3c3
[New Rule] Successful SSH Authentication from Unusual IP-Address (#4482 )
2025-02-28 09:55:35 +01:00
89f79c6e4f
[New Rule] Successful SSH Authentication from Unusual SSH Public Key (#4478 )
2025-02-28 09:44:51 +01:00
fe48309daf
[New Rule] Linux User Account Credential Modification (#4484 )
2025-02-27 16:42:11 +01:00
342e18075b
[New Rule] SSH Authorized Keys File Deletion (#4483 )
2025-02-27 16:29:51 +01:00
46c4a80015
[Tuning] Remote File Copy to a Hidden Share (#4494 )
2025-02-27 14:50:02 +00:00
7b15acf9dd
Update defense_evasion_amsi_bypass_powershell.toml (#4477 )
2025-02-27 14:36:15 +00:00
0340335cf4
[Rule Tuning] Sysmon rules that uses event.action (#4496 )
2025-02-27 11:24:42 -03:00
a614da5900
[New Rule] Remote File Creation in World Writeable Directory (#4475 )
2025-02-26 10:11:55 +01:00
59473f09ac
[New Rule] Potential Malware-Driven SSH Brute Force Attempt (#4474 )
2025-02-26 10:00:31 +01:00
758e155231
[New Rule] High Number of Egress Network Connections from Unusual Executable (#4473 )
2025-02-26 09:43:54 +01:00
8a221325e9
[New Rule] Unusual Remote File Creation (#4476 )
2025-02-26 09:30:47 +01:00
73aaad98f0
[Rule Tuning] MsBuild Making Network Connections (#4479 )
2025-02-25 10:04:04 -03:00
bc3e12da38
[Rule Tuning] Adapt Rules to work with Sysmon (#4480 )
2025-02-25 09:54:18 -03:00
8e3ad57672
Update defense_evasion_via_filter_manager.toml (#4493 )
2025-02-25 09:29:36 +00:00
4b8676c586
[Bug] [DaC] Fix Typo in CLI.md (#4491 )
2025-02-24 10:15:19 -05:00
66996ac597
Fix typo in error message (#4489 )
2025-02-24 20:16:43 +05:30
1851ab91fd
new hunting queries for Azure device code (#4468 )
2025-02-21 11:00:34 -05:00
4b7aa67213
[New Rule] Adding Coverage for M365 OneDrive Excessive File Downloads with OAuth Token (#4469 )
2025-02-21 10:45:04 -05:00
0b98462cfe
[New Hunt] Adding Hunting Queries for AWS SNS exfiltration and data collection (#4458 )
2025-02-20 10:53:36 -05:00
ec4523a6a9
[Rule Tuning] Expanding coverage for First Occurrence of Entra ID Auth via DeviceCode Protocol (#4466 )
2025-02-20 10:29:04 -05:00
17ea9fbdd5
[New Rule] Adding Coverage for AWS SNS Topic Created by Rare User (#4455 )
2025-02-20 10:05:40 -05:00
692a1382bf
Fix spacing in Setup information (#4470 )
2025-02-20 10:04:13 +05:30
c0f12ddecf
[Rule Tuning] Tighten Up Windows EventLog Indexes, Improve tags (#4464 )
2025-02-19 12:54:31 -03:00
bd62867465
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4463 )
2025-02-17 18:27:01 +05:30
b951e86a55
[Rule Tuning] Account Configured with Never-Expiring Password (#4459 )
2025-02-17 07:19:33 -03:00
15177246cc
[Rule Tuning] Windows - Improve Index Pattern Consistency (#4462 )
2025-02-17 07:04:34 -03:00
aded9deb79
Modify Unit Test to Support Alert Suppression for EQL Sequences (#4457 )
2025-02-14 00:14:28 +05:30
5155f47b86
[Rule Tuning] Event Aggregation - Fix event.action & event.type conditions (#4445 )
2025-02-07 18:42:28 -03:00
2bf4cf0b2a
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4453 )
2025-02-07 21:41:29 +05:30
a650b028f3
Bumping number of versions per rule to 4 in total (#4451 )
2025-02-07 16:28:36 +01:00
27e8b85840
Update execution_windows_script_from_internet.toml (#4452 )
2025-02-07 14:52:56 +00:00
c7f5385711
[Rule Tuning] Decrease Interval to 1m for Endpoint Promotions (#4450 )
2025-02-07 08:30:35 -06:00
e528feb989
chore(ci): new CI action trigger for REACT testing workflow (#4435 )
2025-02-06 19:39:49 +01:00
b13d6bf314
[New Hunt] Persistence via NetworkManager Dispatcher Script (#4408 )
2025-02-06 09:33:42 +01:00
be54140485
[Rule Tuning] SMB Connections via LOLBin or Untrusted Process (#4444 )
2025-02-05 17:32:57 -03:00
0268daa17d
[Rule Tuning] Tighten Up Elastic Defend Indexes - Linux (#4446 )
2025-02-05 15:25:45 -03:00
ab89dfb98d
[Rule Tuning] Tighten Up Elastic Defend Indexes - MacOS (#4447 )
2025-02-05 15:09:27 -03:00
3e0ba33749
[Rule Tuning] Remote Execution via File Shares (#4448 )
2025-02-05 14:51:47 -03:00
802419178c
[New Hunt] Persistence via Desktop Bus (D-Bus) (#4407 )
2025-02-05 16:45:17 +01:00
1aea556998
[New Hunt] Persistence via PolicyKit (#4406 )
2025-02-05 16:29:47 +01:00
6fa8a862a2
[New Hunt] General Kernel Manipulation (#4403 )
2025-02-05 16:18:51 +01:00
32975e5155
[Rule Tuning] Port Scan Rules (#4443 )
2025-02-05 15:40:27 +01:00
f1dee060b6
[Hunt Tuning] Fixing Sort Logic in Aviatrix Hunting Query (#4432 )
2025-02-03 21:43:02 -05:00
1dfb05ec1c
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4442 )
2025-02-04 00:05:59 +05:30
a866ee7f57
Fix remaining Replace master doc URLs with current (#4441 )
2025-02-03 23:03:20 +05:30
818467f132
Replace master doc URLs with current (#4439 )
2025-02-03 21:27:50 +05:30
8f73b88884
[Tuning / New] Execution of a downloaded windows script (#4434 )
2025-02-03 14:33:59 +00:00
aba793f3e5
Add prerelease version Integration manifests & schemas for sentinel_one_cloud_funnel (#4438 )
2025-02-03 19:45:14 +05:30
350474b7b4
Refresh ECS & Beats schemas, Integration manifests & schemas (#4436 )
2025-02-03 19:18:49 +05:30
8d29a1f7d5
[New Rule] Process Backgrounded by Unusual Parent (#4431 )
2025-02-03 14:17:15 +01:00
14c648598e
[Rule Tuning] Linux DR Tuning - Part 6 (#4423 )
2025-02-03 14:05:26 +01:00
6b84542093
[Rule Tuning] Linux DR Tuning - Part 5 (#4422 )
2025-02-03 13:53:53 +01:00
53b9b53467
[Rule Tuning] Linux DR Tuning - Part 4 (#4421 )
2025-02-03 13:31:00 +01:00
1c98a0d64c
[Rule Tuning] Linux DR Tuning - Part 3 (#4420 )
2025-02-03 13:17:00 +01:00
bf1caf8b5f
[Rule Tuning] December-January AWS Rule Tuning (#4425 )
2025-01-31 10:35:18 -05:00
b1a8341371
[Hunt Tuning] Logon Activity by Source IP (#4428 )
2025-01-31 15:44:38 +01:00
b642c55680
[Rule Tuning] Potential OpenSSH Backdoor Logging Activity (#4429 )
2025-01-31 15:33:21 +01:00
18dd9cb04a
[New Rule] Suspicious Usage of bpf_probe_write_user Helper (#4426 )
2025-01-29 11:46:40 +01:00
52d33c12b8
[Rule Tuning] Linux DR Tuning - Part 2 (#4417 )
2025-01-29 10:34:13 +01:00
4e95bc7891
[New Hunt] Adding Hunting Query for IAM Unusual Default Aviatrix Role Activity (#4409 )
2025-01-28 12:09:29 -05:00
fed7b216d5
[Rule Tuning] Linux DR Tuning - Part 1 (#4416 )
2025-01-28 14:43:00 +01:00
bbcf0c7c34
[New Hunt] Persistence via Initramfs (#4402 )
2025-01-27 10:19:44 +01:00
80fe96109b
[New & Tuning] Persistence via GRUB Bootloader (#4401 )
2025-01-27 09:58:43 +01:00
4e6625ae40
[Tuning] Unusual Instance Metadata Service (IMDS) API Request (#4418 )
2025-01-24 17:23:32 +00:00
fccfafea6b
[Rule Tuning] Improve Detection Compatibility with Non-English Logs (#4410 )
2025-01-23 16:12:42 -03:00
d6f1a75f11
Fix S1 minstack version (#4415 )
2025-01-23 17:59:40 +05:30
7c6c77932c
[FR] Add Remaining Guides (#4412 )
2025-01-22 14:43:30 -06:00
fe8c81d762
[FR] Generate investigation guides (#4358 )
2025-01-22 11:17:38 -06:00
d55d5d9695
[New Rule] File with Right-to-Left Override Character Created/Executed (#4396 )
2025-01-21 16:41:49 -03:00
8093655f76
Lock versions for releases: 8.12,8.13,8.14,8.15,8.16,8.17 (#4400 )
2025-01-21 19:35:57 +05:30
9b8b917598
Update ATT&CK coverage URL(s) in docs/ATT&CK-coverage.md (#4398 )
2025-01-21 17:32:14 +05:30
b708e09f2b
[New Rule] Unusual D-Bus Daemon Child Process (#4397 )
2025-01-21 12:24:06 +01:00
fb13b89f8d
[New Rule] Adding Coverage for AWS S3 Unauthenticated Bucket Access by Rare Source (#4315 )
2025-01-20 13:36:09 -05:00
7be96ec64d
[Rule Tuning] Add Public Snapshot Coverage Regarding AWS EC2 EBS Snapshot Shared or Made Public (#4335 )
2025-01-20 13:15:41 -05:00
cf183579b4
[New Rule] Polkit Version Discovery (#4378 )
2025-01-20 15:58:27 +01:00
2e6ec33141
[New Rule] Polkit Policy Creation (#4379 )
2025-01-20 15:47:18 +01:00
3e655abfef
[New Rule] Unusual Pkexec Execution (#4380 )
2025-01-20 15:35:29 +01:00
4294ed8981
[New Rule] NetworkManager Dispatcher Script Creation (#4381 )
2025-01-20 15:18:55 +01:00
89c113560b
[New Rule] D-Bus Service Created (#4382 )
2025-01-20 15:07:06 +01:00
6cc5184f70
[New Rule] Manual Dracut Execution (#4383 )
2025-01-20 14:41:44 +01:00
abd199a9bc
[New Rule] Dracut Module Creation (#4384 )
2025-01-20 14:31:16 +01:00
2bb46899ae
[New Rule] OpenSSL Password Hash Generation (#4385 )
2025-01-20 14:14:12 +01:00
1fce3fd22a
[New Rule] Boot File Copy (#4386 )
2025-01-20 14:04:02 +01:00
b633987e5b
[New Rule] Initramfs Unpacking via unmkinitramfs (#4387 )
2025-01-20 13:43:54 +01:00
971049957e
[New Rule] Initramfs Extraction via CPIO (#4389 )
2025-01-20 13:32:48 +01:00
1dfc84c37d
[Tuning] Powershell Rules (#4395 )
2025-01-20 12:12:37 +00:00
01eda44298
[Rule Tuning] Linux Persistence Rules (#4393 )
2025-01-20 09:51:49 +01:00
cf929554a6
[New Rule] Systemd Shell Execution During Boot (#4392 )
2025-01-20 09:33:46 +01:00
2ea674ce84
[Bug] [DaC] Metadata maturity field default mismatch and poor enforcement of rule naming conventions (#4285 )
2025-01-17 12:16:32 -05:00
f029e9a171
[New Rule] GRUB Configuration Generation through Built-in Utilities (#4391 )
2025-01-17 18:00:01 +01:00
0ef7f3a83e
[New Rule] GRUB Configuration File Creation (#4390 )
2025-01-17 17:49:41 +01:00
28c3d074b8
[New Rule] Process Started with Executable Stack (#4340 )
2025-01-17 17:36:39 +01:00
ca3994af0d
[Deprecation] Deprecating Potential Password Spraying of Microsoft 365 User Accounts (#4394 )
2025-01-17 10:52:13 -05:00
ac541f0b18
[New Rules] Kernel Seeking/Unpacking Activity (#4341 )
2025-01-16 12:04:04 +01:00
bba5096efa
[New Rule] System Binary Path File Permission Modification (#4339 )
2025-01-16 10:32:23 +01:00
Jonhnathan