Terrance DeJesus
632e169f7a
* add description to hunting schema; change queries to be a list * update createremotethreat by process hunt * update dll hijack and masquerading as MSFT library * remove sysmon specific dDLL hijack via masquerading MSFT library * updated Masquerading Attempts as Native Windows Binaries * updates Rare DLL Side-Loading by Occurrence * updates Rare LSASS Process Access Attempts * update DNS Queries via LOLBins with Low Occurence Frequency * updated Low Occurrence of Drivers Loaded on Unique Hosts * updates Excessive RDP Network Activity by Host and User * updates Excessive SMB Network Activity by Process ID * updated Executable File Creation by an Unusual Microsoft Binary * Frequency of Process Execution and Network Logon by Source Address * updates Frequency of Process Execution and Network Logon by Source Address * updated Execution via Remote Services by Client Address * updated Startup Execution with Low Occurrence Frequency by Unique Host * updated Low Frequency of Process Execution via WMI by Unique Agent * updated Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent * updated Low Occurence of Process Execution via Windows Services with Unique Agent * Updated High Count of Network Connection Over Extended Period by Process * update Libraries Loaded by svchost with Low Occurrence Frequency * updated Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent * updated Network Discovery via Sensitive Ports by Unusual Process * updated PE File Transfer via SMB_Admin Shares by Agent or User * updated Persistence via Run Key with Low Occurrence Frequency * updates Persistence via Startup with Low Occurrence Frequency by Unique Host * updates "Persistence via Run Key with Low Occurrence Frequency"; adjusted file names to remove data source * updates "Low Occurrence of Suspicious Launch Agent or Launch Daemon" * updates "Egress Network Connections with Total Bytes Greater than Threshold" * updates "Rundll32 Execution Aggregated by Command Line" * updates "Scheduled tasks Creation by Action via Registry" * updates "Scheduled Tasks Creation for Unique Hosts by Task Command" * updates "Suspicious Base64 Encoded Powershell Command" * updates "Suspicious DNS TXT Record Lookups by Process" * updates "Unique Windows Services Creation by Service File Name" * Updates "Unique Windows Services Creation by Service File Name" * updates "Windows Command and Scripting Interpreter from Unusual Parent Process" * updates "Windows Logon Activity by Source IP" * updates "Suspicious Network Connections by Unsigned Mach-O" * updates LLM hunting queries * re-generated markdown files; updated generate markdown py file * updated test_hunt_data * Update hunting/macos/queries/suspicious_network_connections_by_unsigned_macho.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/drivers_load_with_low_occurrence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update hunting/windows/queries/excessive_rdp_network_activity_by_source_host_and_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * updated missing integrations * updated MD docs according to recent hunting changes * Update hunting/windows/queries/executable_file_creation_by_an_unusual_microsoft_binary.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_rare_dll_sideload_by_occurrence.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_masquerading_attempts_as_native_windows_binaries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/windows/queries/detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update hunting/llm/queries/aws_bedrock_dos_resource_exhaustion_detection.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * added enrichment policy link to rule * Update hunting/windows/docs/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/windows_command_and_scripting_interpreter_from_unusual_parent.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/rundll32_execution_aggregated_by_cmdline.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/microsoft_office_child_processes_with_low_occurrence_frequency.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/index.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/docs/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update hunting/windows/queries/execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
69 lines
2.6 KiB
Python
69 lines
2.6 KiB
Python
# Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
|
|
# or more contributor license agreements. Licensed under the Elastic License
|
|
# 2.0; you may not use this file except in compliance with the Elastic License
|
|
# 2.0.
|
|
|
|
"""Test for hunt toml files."""
|
|
import unittest
|
|
|
|
from hunting.generate_markdown import HUNTING_DIR, load_toml
|
|
|
|
|
|
class TestHunt(unittest.TestCase):
|
|
"""Test hunt toml files."""
|
|
|
|
def test_toml_loading(self):
|
|
"""Test loading a hunt toml file content."""
|
|
example_toml = """
|
|
[hunt]
|
|
author = "Elastic"
|
|
description = "Detects denial of service or resource exhaustion attacks."
|
|
integration = "aws_bedrock.invocation"
|
|
uuid = "dc181967-c32c-46c9-b84b-ec4c8811c6a0"
|
|
name = "Denial of Service or Resource Exhaustion Attacks Detection"
|
|
language = "ES|QL"
|
|
license = "Elastic License v2"
|
|
query = ['SELECT * FROM logs']
|
|
notes = ["High token usage can strain system resources."]
|
|
mitre = ["AML.T0034"]
|
|
references = ["https://www.elastic.co"]
|
|
"""
|
|
config = load_toml(example_toml)
|
|
self.assertEqual(config.author, "Elastic")
|
|
self.assertEqual(config.integration, "aws_bedrock.invocation")
|
|
self.assertEqual(config.uuid, "dc181967-c32c-46c9-b84b-ec4c8811c6a0")
|
|
self.assertEqual(
|
|
config.name, "Denial of Service or Resource Exhaustion Attacks Detection"
|
|
)
|
|
self.assertEqual(config.language, "ES|QL")
|
|
|
|
def test_load_toml_files(self):
|
|
"""Test loading and validating all Hunt TOML files in the hunting directory."""
|
|
|
|
for toml_file in HUNTING_DIR.rglob("*.toml"):
|
|
toml_contents = toml_file.read_text()
|
|
hunt = load_toml(toml_contents)
|
|
self.assertTrue(hunt.author)
|
|
self.assertTrue(hunt.description)
|
|
self.assertTrue(hunt.integration)
|
|
self.assertTrue(hunt.uuid)
|
|
self.assertTrue(hunt.name)
|
|
self.assertTrue(hunt.language)
|
|
self.assertTrue(hunt.query)
|
|
|
|
def test_markdown_existence(self):
|
|
"""Ensure each TOML file has a corresponding Markdown file in the docs directory."""
|
|
for toml_file in HUNTING_DIR.rglob("*.toml"):
|
|
expected_markdown_path = (
|
|
toml_file.parent.parent / "docs" / toml_file.with_suffix(".md").name
|
|
)
|
|
|
|
self.assertTrue(
|
|
expected_markdown_path.exists(),
|
|
f"Markdown file not found for {toml_file} at expected location {expected_markdown_path}",
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
unittest.main()
|