This website requires JavaScript.
718b64f1df
Update execution_downloaded_url_file.toml (#4794 )
2025-06-12 12:11:19 +01:00
ba55fb412b
[New] Potential CVE-2025-33053 Exploitation (#4795 )
2025-06-12 08:08:20 +01:00
c7c1586160
[Rule Deprecation] Azure Entra Sign-in Brute Force Microsoft 365 Accounts by Repeat Source (#4780 )
2025-06-10 12:02:54 -04:00
9569aa4860
[New Rule] Microsoft Entra ID Excessive Account Lockouts Detected (#4782 )
2025-06-10 11:31:35 -04:00
c8d6e32d1c
Update privilege_escalation_unusual_parentchild_relationship.toml (#4775 )
2025-06-09 18:58:55 +01:00
5b3dac0a14
[FR] Add Ability to Filter Rule Exports from Kibana (#4783 )
2025-06-09 12:21:15 -04:00
727a648db1
Update Kibana MITRE workflow (#4735 )
2025-06-09 20:05:18 +05:30
d1e9247bd4
Add update ATT&CK coverage step in lock versions (#4772 )
2025-06-09 19:20:35 +05:30
11468edab6
[Rule Tuning] AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role (#4774 )
2025-06-06 15:08:48 -04:00
a9fe1b107a
[Rule Tunings] AWS EC2 Flow Log Deletion and Network ACL Activity (#4778 )
2025-06-06 14:11:54 -04:00
b2887e592b
[Rule Tuning] Loadable Kernel Module Configuration File Creation (#4765 )
2025-06-05 13:12:24 +02:00
6538fb1662
[Rule Tuning][New Rule][Deprecation] AWS EC2 EBS Snapshot Activity Rules (#4763 )
2025-06-04 10:49:52 -04:00
0a8c3ca471
new rule for bloodhound user agents (#4769 )
2025-06-04 09:11:13 -04:00
71c82ec475
[New Rule] Entra ID Protection - Risk Detection - User Risk (#4762 )
2025-06-04 08:59:01 -04:00
61fb056f05
[Rule Tuning] Microsoft Entra ID Protection Anonymized IP Risk Detection (#4759 )
2025-06-04 08:31:21 -04:00
ba9f76c6b5
[Rule Tuning] Shell Configuration Creation or Modification (#4766 )
2025-06-04 11:26:45 +02:00
4cf3d28367
Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4758 )
2025-06-02 21:53:59 +05:30
c9a1ba358e
[Tuning] AWS Access Token Used from Multiple Addresses (#4753 )
2025-06-02 11:32:05 -04:00
8a829d1503
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4756 )
2025-06-02 20:44:01 +05:30
89fe4c977c
Refresh Integration Manifest & Schema (#4755 )
2025-06-02 20:14:43 +05:30
aef166c301
[New Rule] Microsoft 365 Suspicious Inbox Rule to Delete or Move Emails (#4743 )
2025-06-02 10:02:18 -04:00
0abd8c923a
Create defense_evasion_lsass_ppl_disabled_registry.toml (#4747 )
2025-05-29 10:55:14 +01:00
bfca0ea414
[New Hunt] Commvault Supply Chain Threat (#4748 )
2025-05-28 14:11:46 -04:00
17d98cc8dd
[Rule Tuning] Tuning Azure Entra Sign-in Brute Force against Microsoft 365 Accounts (#4737 )
2025-05-28 13:45:15 -04:00
4bd8469c38
[New Rule] Microsoft Entra ID Elevated Access to User Access Administrator (#4742 )
2025-05-28 13:33:22 -04:00
22d780f9af
[New Rule] Microsoft Entra ID User Reported Suspicious Activity (#4740 )
2025-05-28 11:55:51 -04:00
0d4db2ecfe
tuning 'Microsoft Entra ID High Risk Sign-in' (#4739 )
2025-05-28 11:40:04 -04:00
2cc81fc0cb
fix: Making github lib a main dependency (#4744 )
2025-05-28 10:35:31 +02:00
bb63887741
[New] BadSuccessor dMSA Abuse Detections (#4745 )
2025-05-25 09:38:15 +01:00
fab0933df4
[Rule Tuning] Tuning Microsoft 365 Global Administrator Role Assigned (#4738 )
2025-05-21 12:47:58 -04:00
2c2b3e7d12
[Tuning] Lateral Movement Rules (#4736 )
2025-05-21 15:59:45 +01:00
22cf1f0ced
[Tuning] Account Discovery Command via SYSTEM Account (#4734 )
2025-05-21 06:25:16 +01:00
72ec8199ae
Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4732 )
2025-05-20 08:26:21 +05:30
5832aec32b
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4731 )
2025-05-20 07:44:22 +05:30
82bee3e9c2
[Rule Tuning] Microsoft Graph First Occurrence of Client Request (#4728 )
2025-05-19 14:56:21 -04:00
fcd70b284b
[New Rule] Multiple Microsoft 365 User Account Lockouts in Short Time Window (#4717 )
2025-05-19 14:44:46 -04:00
3e0a9ec47b
[Rule Tuning] Potential Microsoft 365 User Account Brute Force (#4716 )
2025-05-19 14:08:38 -04:00
0d366d6a15
[New Rule] Microsoft Entra ID Protection - Risk Detections (#4725 )
2025-05-19 13:51:26 -04:00
43cdc7ff51
Refresh MITRE version (#4729 )
2025-05-19 22:49:33 +05:30
e6fb73970d
[Rule Tuning] Startup or Run Key Registry Modification (#4710 )
2025-05-19 09:42:37 -07:00
9af2bf4a66
[Rule Tuning] Unusual Scheduled Task Update (#4714 )
2025-05-19 09:21:14 -07:00
2ad2d68c4a
Resolve datetime.utcfromtimestamp deprecation (#4719 )
2025-05-19 19:05:07 +03:00
f2f9cdac66
Update initial_access_azure_o365_with_network_alert.toml (#4723 )
2025-05-19 08:24:19 -07:00
47059e22f2
[Rule Tuning] Backup Deletion with Wbadmin (#4715 )
2025-05-19 08:04:25 -07:00
909ff9c07e
new hunt 'Microsoft Entra Infrequent Suspicious OData Client Requests' (#4708 )
2025-05-09 22:14:42 -04:00
8f27c24528
[New Rule] Suspicious Email Access by First-Party Application via Microsoft Graph (#4704 )
2025-05-09 20:49:08 -04:00
d83e1c711a
[New Rule] Microsoft Entra Session Reuse with Suspicious Graph Access (#4711 )
2025-05-09 20:32:22 -04:00
d30e65e5a2
[Rule Tuning] Unusual File Creation - Alternate Data Stream (#4712 )
2025-05-09 09:56:54 -07:00
762857f15f
[Rule Tuning] Tuning Suspicious Mailbox Permission Delegation in Exchange Online (#4705 )
2025-05-08 11:01:00 -04:00
0f3bfcd98a
Fix new term doc broken link (#4706 )
2025-05-07 17:03:58 +05:30
acab8b4c6e
Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4703 )
2025-05-07 07:34:20 +05:30
69498a97ac
Update ATT&CK coverage URL(s) in docs-dev/ATT&CK-coverage.md (#4702 )
2025-05-06 23:12:56 +05:30
639d748ec2
[FR] Add check-version-lock dev command (#4650 )
2025-05-06 13:26:23 -04:00
36d595ae2f
[Rule Tuning] Add exceptions for non-interactive signin failures for Entra M365 Bruteforce (#4405 )
2025-05-06 13:13:15 -04:00
3a601a10fb
[New Rule] Unusual Exim4 Child Process (#4684 )
2025-05-06 18:54:34 +02:00
c145e33f16
[New Rule] Unusual Execution from Kernel Thread (kthreadd) Parent (#4683 )
2025-05-06 18:38:43 +02:00
608e02e27e
[New Rule] Linux Telegram API Request (#4677 )
2025-05-06 18:23:19 +02:00
d3aa4b2f38
[Rule Tuning] Reduce Severity from Critical to High (#4637 )
2025-05-06 09:07:47 -07:00
944428d81e
[New Rule] Unusual LD_PRELOAD/LD_LIBRARY_PATH Command Line Arguments (#4685 )
2025-05-06 17:51:58 +02:00
e028bf7954
[New Rule] Potential Dynamic IEX Reconstruction via Environment Variables (#4633 )
2025-05-06 08:36:06 -07:00
a34a26ddec
[Rule Tuning] Excluding Microsoft Entra ID Service Principal Addition Invoked by MSFT Identity (#4700 )
2025-05-06 11:19:50 -04:00
0cd7de6862
[New Rule] Potential PowerShell Obfuscation via Special Character Overuse (#4632 )
2025-05-06 07:59:19 -07:00
b7016253ae
[New Rule] Potential PowerShell Obfuscation via High Numeric Character Proportion (#4631 )
2025-05-06 07:43:34 -07:00
5d8f0c2ffe
[New Rule] Potential PowerShell Obfuscation via Backtick-Escaped Variable Expansion (#4630 )
2025-05-06 07:28:01 -07:00
b6a755c84f
[New Rule][BBR] Potential PowerShell Obfuscation via High Special Character Proportion (#4629 )
2025-05-06 07:11:33 -07:00
dc6cb3e811
[New Rule] Potential PowerShell Obfuscation via Concatenated Dynamic Command Invocation (#4615 )
2025-05-06 06:56:15 -07:00
5ab73943a1
[New Rule] Potential PowerShell Obfuscation via Invalid Escape Sequences (#4614 )
2025-05-06 06:40:10 -07:00
b5ac9707ba
[New Rule] PowerShell Obfuscation via Negative Index String Reversal (#4610 )
2025-05-06 06:24:22 -07:00
c291638521
[New Rule] Potential PowerShell Obfuscation via Reverse Keywords (#4609 )
2025-05-06 06:06:13 -07:00
7b9cd77bc2
[New Rule] Potential PowerShell Obfuscation via Character Array Reconstruction (#4608 )
2025-05-06 05:48:29 -07:00
ebe77f2d86
[New Rule] Potential PowerShell Obfuscation via String Concatenation (#4607 )
2025-05-06 05:32:35 -07:00
fdc6b09d54
[New Rule] System Binary Symlink to Suspicious Location (#4682 )
2025-05-06 14:16:47 +02:00
25dc8498ae
[New Rule] Suspicious Named Pipe Creation (#4681 )
2025-05-06 14:00:38 +02:00
8b08795e00
[New Rule] Suspicious Kernel Feature Activity (#4676 )
2025-05-06 13:43:24 +02:00
0193af2842
[New Rule] Potential Data Exfiltration Through Curl (#4678 )
2025-05-06 13:27:59 +02:00
4030de9295
[New/Tuning] Potential Hex Payload Execution via Command-Line (#4675 )
2025-05-06 12:59:03 +02:00
eb3520a63b
[New Rule] Potential Backdoor Execution Through PAM_EXEC (#4674 )
2025-05-06 12:43:23 +02:00
91acb4e9ce
[New] Windows Sandbox with Sensitive Configuration (#4606 )
2025-05-06 11:28:39 +01:00
04f15aa08c
[New] Rare Connection to WebDAV Target (#4667 )
2025-05-06 11:11:30 +01:00
70f758d9ad
[New] Microsoft Azure or Mail Sign-in from a Suspicious Source (#4673 )
2025-05-06 10:51:11 +01:00
403e20c2c6
[New Rule] Git Repository or File Download to Suspicious Directory (#4663 )
2025-05-06 11:35:27 +02:00
3f9e2edcb5
[New Rule] Manual Mount Discovery via /etc/exports (#4662 )
2025-05-06 11:18:55 +02:00
a9e8a78c09
[New Rule] Docker Release File Creation (#4661 )
2025-05-06 11:01:52 +02:00
13cf424ef5
[New Rule] Manual Memory Dumping via Proc Filesystem (#4660 )
2025-05-06 10:46:15 +02:00
c9c41747fc
[FN Tuning] Suspicious /proc/maps Discovery (#4659 )
2025-05-06 10:29:44 +02:00
1150271372
[New Rule] Suspicious Path Mounted (#4664 )
2025-05-06 10:13:00 +02:00
bcff3f95d5
Update command_and_control_common_webservices.toml (#4686 )
2025-05-06 08:57:21 +01:00
f480e98f16
[New] Concurrent Azure SignIns with Suspicious Properties (#4670 )
2025-05-06 08:39:54 +01:00
6e3b38c645
[New] Suspicious Microsoft 365 UserLoggedIn via OAuth Code (#4691 )
2025-05-06 08:23:33 +01:00
57be590d73
[New Rule] Adding Coverage for Suspicious Activity via Auth Broker On-Behalf-of Principal User (#4687 )
2025-05-06 03:11:57 -04:00
58d03d4043
[New Rule] Adding Coverage for Microsoft Entra ID SharePoint Access for User Principal via Auth Broker (#4695 )
2025-05-05 16:45:47 -04:00
e4856d3c2c
Refresh ecs, beats, integration manifests & schemas (#4699 )
2025-05-05 23:06:40 +05:30
18e1103c51
[New Rule] Potential Linux Tunneling and/or Port Forwarding via SSH Option (#4658 )
2025-05-05 09:59:08 +02:00
b3adc6d3ea
Deprecate Experimental ML command (#4669 )
2025-05-02 21:01:46 +05:30
dddc2a7bb9
[New] Microsoft 365 OAuth Redirect to Device Registration for User (#4694 )
2025-05-02 08:36:10 +01:00
ce66f52aad
[New Rule] Adding Coverage for Microsoft Entra ID Protection Anonymized IP Risk Detection (#4689 )
2025-05-01 23:03:50 -04:00
bae7835f6a
[New Rule] MSFT Tenant OAuth Phishing via First-Party VSCode Client (#4642 )
2025-05-01 22:38:41 -04:00
ff2ecad573
[New Rule] Adding Coverage for AWS S3 Static Site JavaScript File Uploaded (#4617 )
2025-04-30 16:25:03 -04:00
ba959f2ceb
fix: Fixing leftover references to sha256 method (#4690 )
2025-04-30 20:34:15 +02:00
fc1e6145cc
Lock versions for releases: 8.14,8.15,8.16,8.17,8.18,9.0 (#4679 )
2025-04-30 18:11:35 +05:30
Samirbous