Files

T

Samirbous 26fb8e83a5 [New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660 )

* [New Rule] Potential Privileged Escalation via SamAccountName Spoofing

Identifies a suspicious computer account name rename event, this may indicate an attempt to exploit CVE-2021-42278 to elevated privileges from standard domain user to domain admin privileges. CVE-2021-42278 is a security vulnerability that allows potential attackers to impersonate a domain controller using computer account sAMAccountName spoofing.

https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/
https://github.com/cube0x0/noPac

EQL

```
iam where event.action == "renamed-user-account" and
  /* machine account name renamed to user like account name */
  winlog.event_data.OldTargetUserName : "*$" and not winlog.event_data.NewTargetUserName : "*$"
```

* Create privilege_escalation_samaccountname_spoofing_attack.toml

* Update non-ecs-schema.json

* extra ref

* toml linted

* ref for MS kb5008102

* more ref

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

2022-01-27 15:46:27 +01:00

_deprecated

[Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match (#1703 )

2022-01-25 16:46:49 -09:00

apm

[Rule tuning] Revise rule description and other text (#1398 )

2021-08-03 13:07:47 -08:00

cross-platform

[Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match (#1703 )

2022-01-25 16:46:49 -09:00

integrations

[New Rule] Global Administrator Role Assigned (#1686 )

2022-01-27 09:53:02 -03:00

linux

[New Rule] Potential Privilege Escalation via PKEXEC (#1727 )

2022-01-27 10:41:40 +01:00

macos

MacOS FolderActionScripts Process List Update (#1723 )

2022-01-25 14:27:27 -06:00

Add min_stack_comments to metadata schema (#1573 )

2021-10-19 20:52:53 -08:00

network

[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651 )

2021-12-07 09:09:03 -03:00

promotions

[Rule Tuning] Bump max_signals on Endgame Promotion Rules (#1662 )

2021-12-14 11:52:12 -03:00

windows

[New Rule] Potential Privileged Escalation via SamAccountName Spoofing (#1660 )

2022-01-27 15:46:27 +01:00

README.md

[New Rule] Endpoint Security Behavior Protection (#1440 )

2021-08-25 09:56:59 -06:00

README.md

rules/

Rules within this folder are organized by solution or platform. The structure is flattened out, because nested file hierarchies are hard to navigate and find what you're looking for. Each directory contains several .toml files, and the primary ATT&CK tactic is included in the file name when it's relevant (i.e. windows/execution_via_compiled_html_file.toml)

folder	description
`.`	Root directory where rules are stored
`apm/`	Rules that use Application Performance Monitoring (APM) data sources
`cross-platform/`	Rules that apply to multiple platforms, such as Windows and Linux
`integrations/`	Rules organized by Fleet integration
`linux/`	Rules for Linux or other Unix based operating systems
`macos/`	Rules for macOS
`ml/`	Rules that use machine learning jobs (ML)
`network/`	Rules that use network data sources
`promotions/`	Rules that promote external alerts into detection engine alerts
`windows/`	Rules for the Microsoft Windows Operating System

Integration specific rules are stored in the integrations/ directory:

folder	integration
`aws/`	Amazon Web Services (AWS)
`azure/`	Microsoft Azure
`cyberarkpas/`	Cyber Ark Privileged Access Security
`endpoint/`	Elastic Endpoint Security
`gcp/`	Google Cloud Platform (GCP)
`google_workspace/`	Google Workspace (formerly GSuite)
`o365/`	Microsoft Office
`okta/`	Oka