├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE │ ├── bug_report.yaml │ ├── feature_request.yaml │ ├── hunt_tuning.yaml │ ├── new_hunt.yaml │ ├── new_meta.yaml │ ├── new_rule.yaml │ ├── rule_deprecation.yaml │ ├── rule_tuning.yaml │ └── schema_feature_request.yaml ├── PULL_REQUEST_GUIDELINES │ ├── bug_guidelines.md │ ├── enhancement_guidelines.md │ ├── hunt_new_guidelines.md │ ├── hunt_tuning_guidelines.md │ ├── rule_deprecation_guidelines.md │ ├── rule_new_guidelines.md │ ├── rule_tuning_guidelines.md │ └── schema_enhancement_guidelines.md ├── PULL_REQUEST_TEMPLATE.md ├── paths-labeller.yml ├── release-drafter.yml ├── stale.yml └── workflows │ ├── add-guidelines.yml │ ├── attack-coverage-update.yml │ ├── backport.yml │ ├── branch-status-checks.yml │ ├── community.yml │ ├── docs-build.yml │ ├── docs-cleanup.yml │ ├── get-target-branches.yml │ ├── kibana-mitre-update.yml │ ├── lock-versions.yml │ ├── manual-backport.yml │ ├── pythonpackage.yml │ ├── react-tests-dispatcher.yml │ ├── release-docs.yml │ ├── release-fleet.yml │ └── version-code-and-release.yml ├── .gitignore ├── .gitmodules ├── .pre-commit-config.yaml ├── CLI.md ├── CONTRIBUTING.md ├── LICENSE.txt ├── Makefile ├── NOTICE.txt ├── PHILOSOPHY.md ├── README.md ├── Troubleshooting.md ├── detection_rules ├── __init__.py ├── __main__.py ├── action.py ├── action_connector.py ├── attack.py ├── beats.py ├── cli_utils.py ├── config.py ├── custom_rules.py ├── custom_schemas.py ├── devtools.py ├── docs.py ├── ecs.py ├── endgame.py ├── eswrap.py ├── etc │ ├── __init__.py │ ├── _config.yaml │ ├── api_schemas │ │ ├── 7.10 │ │ │ ├── 7.10.base.json │ │ │ ├── 7.10.eql.json │ │ │ ├── 7.10.machine_learning.json │ │ │ ├── 7.10.query.json │ │ │ ├── 7.10.saved_query.json │ │ │ └── 7.10.threshold.json │ │ ├── 7.11 │ │ │ ├── 7.11.base.json │ │ │ ├── 7.11.eql.json │ │ │ ├── 7.11.machine_learning.json │ │ │ ├── 7.11.query.json │ │ │ ├── 7.11.saved_query.json │ │ │ └── 7.11.threshold.json │ │ ├── 7.12 │ │ │ ├── 7.12.base.json │ │ │ ├── 7.12.eql.json │ │ │ ├── 7.12.machine_learning.json │ │ │ ├── 7.12.query.json │ │ │ ├── 7.12.saved_query.json │ │ │ └── 7.12.threshold.json │ │ ├── 7.13 │ │ │ ├── 7.13.base.json │ │ │ ├── 7.13.eql.json │ │ │ ├── 7.13.machine_learning.json │ │ │ ├── 7.13.query.json │ │ │ ├── 7.13.threat_match.json │ │ │ └── 7.13.threshold.json │ │ ├── 7.14 │ │ │ ├── 7.14.base.json │ │ │ ├── 7.14.eql.json │ │ │ ├── 7.14.machine_learning.json │ │ │ ├── 7.14.query.json │ │ │ ├── 7.14.threat_match.json │ │ │ └── 7.14.threshold.json │ │ ├── 7.15 │ │ │ ├── 7.15.base.json │ │ │ ├── 7.15.eql.json │ │ │ ├── 7.15.machine_learning.json │ │ │ ├── 7.15.query.json │ │ │ ├── 7.15.threat_match.json │ │ │ └── 7.15.threshold.json │ │ ├── 7.16 │ │ │ ├── 7.16.base.json │ │ │ ├── 7.16.eql.json │ │ │ ├── 7.16.machine_learning.json │ │ │ ├── 7.16.query.json │ │ │ ├── 7.16.threat_match.json │ │ │ └── 7.16.threshold.json │ │ ├── 7.8 │ │ │ ├── 7.8.base.json │ │ │ ├── 7.8.machine_learning.json │ │ │ ├── 7.8.query.json │ │ │ └── 7.8.saved_query.json │ │ ├── 7.9 │ │ │ ├── 7.9.base.json │ │ │ ├── 7.9.machine_learning.json │ │ │ ├── 7.9.query.json │ │ │ ├── 7.9.saved_query.json │ │ │ └── 7.9.threshold.json │ │ ├── 8.0 │ │ │ ├── 8.0.base.json │ │ │ ├── 8.0.eql.json │ │ │ ├── 8.0.machine_learning.json │ │ │ ├── 8.0.query.json │ │ │ ├── 8.0.threat_match.json │ │ │ └── 8.0.threshold.json │ │ ├── 8.1 │ │ │ ├── 8.1.base.json │ │ │ ├── 8.1.eql.json │ │ │ ├── 8.1.machine_learning.json │ │ │ ├── 8.1.query.json │ │ │ ├── 8.1.threat_match.json │ │ │ └── 8.1.threshold.json │ │ ├── 8.10 │ │ │ ├── 8.10.base.json │ │ │ ├── 8.10.eql.json │ │ │ ├── 8.10.machine_learning.json │ │ │ ├── 8.10.new_terms.json │ │ │ ├── 8.10.query.json │ │ │ ├── 8.10.threat_match.json │ │ │ └── 8.10.threshold.json │ │ ├── 8.11 │ │ │ ├── 8.11.base.json │ │ │ ├── 8.11.eql.json │ │ │ ├── 8.11.machine_learning.json │ │ │ ├── 8.11.new_terms.json │ │ │ ├── 8.11.query.json │ │ │ ├── 8.11.threat_match.json │ │ │ └── 8.11.threshold.json │ │ ├── 8.12 │ │ │ ├── 8.12.base.json │ │ │ ├── 8.12.eql.json │ │ │ ├── 8.12.machine_learning.json │ │ │ ├── 8.12.new_terms.json │ │ │ ├── 8.12.query.json │ │ │ ├── 8.12.threat_match.json │ │ │ └── 8.12.threshold.json │ │ ├── 8.13 │ │ │ ├── 8.13.base.json │ │ │ ├── 8.13.eql.json │ │ │ ├── 8.13.esql.json │ │ │ ├── 8.13.machine_learning.json │ │ │ ├── 8.13.new_terms.json │ │ │ ├── 8.13.query.json │ │ │ ├── 8.13.threat_match.json │ │ │ └── 8.13.threshold.json │ │ ├── 8.14 │ │ │ └── master │ │ │ │ ├── 8.14.base.json │ │ │ │ ├── 8.14.eql.json │ │ │ │ ├── 8.14.esql.json │ │ │ │ ├── 8.14.machine_learning.json │ │ │ │ ├── 8.14.new_terms.json │ │ │ │ ├── 8.14.query.json │ │ │ │ ├── 8.14.threat_match.json │ │ │ │ └── 8.14.threshold.json │ │ ├── 8.15 │ │ │ ├── 8.15.base.json │ │ │ ├── 8.15.eql.json │ │ │ ├── 8.15.esql.json │ │ │ ├── 8.15.machine_learning.json │ │ │ ├── 8.15.new_terms.json │ │ │ ├── 8.15.query.json │ │ │ ├── 8.15.threat_match.json │ │ │ └── 8.15.threshold.json │ │ ├── 8.16 │ │ │ ├── 8.16.base.json │ │ │ ├── 8.16.eql.json │ │ │ ├── 8.16.esql.json │ │ │ ├── 8.16.machine_learning.json │ │ │ ├── 8.16.new_terms.json │ │ │ ├── 8.16.query.json │ │ │ ├── 8.16.threat_match.json │ │ │ └── 8.16.threshold.json │ │ ├── 8.17 │ │ │ ├── 8.17.base.json │ │ │ ├── 8.17.eql.json │ │ │ ├── 8.17.esql.json │ │ │ ├── 8.17.machine_learning.json │ │ │ ├── 8.17.new_terms.json │ │ │ ├── 8.17.query.json │ │ │ ├── 8.17.threat_match.json │ │ │ └── 8.17.threshold.json │ │ ├── 8.18 │ │ │ ├── 8.18.base.json │ │ │ ├── 8.18.eql.json │ │ │ ├── 8.18.esql.json │ │ │ ├── 8.18.machine_learning.json │ │ │ ├── 8.18.new_terms.json │ │ │ ├── 8.18.query.json │ │ │ ├── 8.18.threat_match.json │ │ │ └── 8.18.threshold.json │ │ ├── 8.2 │ │ │ ├── 8.2.base.json │ │ │ ├── 8.2.eql.json │ │ │ ├── 8.2.machine_learning.json │ │ │ ├── 8.2.query.json │ │ │ ├── 8.2.threat_match.json │ │ │ └── 8.2.threshold.json │ │ ├── 8.3 │ │ │ ├── 8.3.base.json │ │ │ ├── 8.3.eql.json │ │ │ ├── 8.3.machine_learning.json │ │ │ ├── 8.3.query.json │ │ │ ├── 8.3.threat_match.json │ │ │ └── 8.3.threshold.json │ │ ├── 8.4 │ │ │ ├── 8.4.base.json │ │ │ ├── 8.4.eql.json │ │ │ ├── 8.4.machine_learning.json │ │ │ ├── 8.4.query.json │ │ │ ├── 8.4.threat_match.json │ │ │ └── 8.4.threshold.json │ │ ├── 8.5 │ │ │ ├── 8.5.base.json │ │ │ ├── 8.5.eql.json │ │ │ ├── 8.5.machine_learning.json │ │ │ ├── 8.5.query.json │ │ │ ├── 8.5.threat_match.json │ │ │ └── 8.5.threshold.json │ │ ├── 8.6 │ │ │ ├── 8.6.base.json │ │ │ ├── 8.6.eql.json │ │ │ ├── 8.6.machine_learning.json │ │ │ ├── 8.6.query.json │ │ │ ├── 8.6.threat_match.json │ │ │ └── 8.6.threshold.json │ │ ├── 8.7 │ │ │ ├── 8.7.base.json │ │ │ ├── 8.7.eql.json │ │ │ ├── 8.7.machine_learning.json │ │ │ ├── 8.7.new_terms.json │ │ │ ├── 8.7.query.json │ │ │ ├── 8.7.threat_match.json │ │ │ └── 8.7.threshold.json │ │ ├── 8.8 │ │ │ ├── 8.8.base.json │ │ │ ├── 8.8.eql.json │ │ │ ├── 8.8.machine_learning.json │ │ │ ├── 8.8.new_terms.json │ │ │ ├── 8.8.query.json │ │ │ ├── 8.8.threat_match.json │ │ │ └── 8.8.threshold.json │ │ ├── 8.9 │ │ │ ├── 8.9.base.json │ │ │ ├── 8.9.eql.json │ │ │ ├── 8.9.machine_learning.json │ │ │ ├── 8.9.new_terms.json │ │ │ ├── 8.9.query.json │ │ │ ├── 8.9.threat_match.json │ │ │ └── 8.9.threshold.json │ │ ├── 9.0 │ │ │ ├── 9.0.base.json │ │ │ ├── 9.0.eql.json │ │ │ ├── 9.0.esql.json │ │ │ ├── 9.0.machine_learning.json │ │ │ ├── 9.0.new_terms.json │ │ │ ├── 9.0.query.json │ │ │ ├── 9.0.threat_match.json │ │ │ └── 9.0.threshold.json │ │ └── master │ │ │ ├── master.base.json │ │ │ ├── master.eql.json │ │ │ ├── master.esql.json │ │ │ ├── master.machine_learning.json │ │ │ ├── master.new_terms.json │ │ │ ├── master.query.json │ │ │ ├── master.threat_match.json │ │ │ └── master.threshold.json │ ├── attack-crosswalk.json │ ├── attack-technique-redirects.json │ ├── attack-v17.1.0.json.gz │ ├── beats_schemas │ │ ├── main.json.gz │ │ ├── v7.10.0.json.gz │ │ ├── v7.11.2.json.gz │ │ ├── v7.12.0.json.gz │ │ ├── v7.13.2.json.gz │ │ ├── v7.14.0.json.gz │ │ ├── v7.15.1.json.gz │ │ ├── v7.16.2.json.gz │ │ ├── v7.7.0.json.gz │ │ ├── v7.8.1.json.gz │ │ ├── v7.9.2.json.gz │ │ ├── v8.0.1.json.gz │ │ ├── v8.1.2.json.gz │ │ ├── v8.10.3.json.gz │ │ ├── v8.11.2.json.gz │ │ ├── v8.12.2.json.gz │ │ ├── v8.13.4.json.gz │ │ ├── v8.14.3.json.gz │ │ ├── v8.15.0.json.gz │ │ ├── v8.15.2.json.gz │ │ ├── v8.15.3.json.gz │ │ ├── v8.16.1.json.gz │ │ ├── v8.17.0.json.gz │ │ ├── v8.17.1.json.gz │ │ ├── v8.18.0.json.gz │ │ ├── v8.2.1.json.gz │ │ ├── v8.2.3.json.gz │ │ ├── v8.3.3.json.gz │ │ ├── v8.4.1.json.gz │ │ ├── v8.4.2.json.gz │ │ ├── v8.4.3.json.gz │ │ ├── v8.5.1.json.gz │ │ ├── v8.5.2.json.gz │ │ ├── v8.5.3.json.gz │ │ ├── v8.6.1.json.gz │ │ ├── v8.7.0.json.gz │ │ ├── v8.8.2.json.gz │ │ ├── v8.9.0.json.gz │ │ ├── v9.0.0-beta1.json.gz │ │ └── v9.0.0.json.gz │ ├── commit-and-push.sh │ ├── deprecated_rules.json │ ├── downloadable_updates.json │ ├── ecs_schemas │ │ ├── 1.0.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.1.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.10.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.11.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.12.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.12.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.12.2 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.2.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.3.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.3.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.4.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.5.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.6.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.7.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.8.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 1.9.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.0.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.0.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.1.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.10.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.11.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.16.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.17.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.2.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.2.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.3.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.3.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.4.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.4.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.5.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.5.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.5.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.5.2 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.6.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.6.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.6.1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.7.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.7.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.8.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 8.9.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 9.0.0-rc1 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ ├── 9.0.0 │ │ │ ├── ecs_flat.json.gz │ │ │ └── ecs_nested.json.gz │ │ └── master_9.1.0-dev │ │ │ └── ecs_flat.json.gz │ ├── endgame_schemas │ │ ├── 1.9.0 │ │ │ └── endgame_ecs_mapping.json.gz │ │ └── 8.4.0 │ │ │ └── endgame_ecs_mapping.json.gz │ ├── endpoint_schemas │ │ └── endpoint_process.json.gz │ ├── example_test_config.yaml │ ├── integration-manifests.json.gz │ ├── integration-schemas.json.gz │ ├── lock-multiple.sh │ ├── non-ecs-schema.json │ ├── packages.yaml │ ├── rule_template_typosquatting_domain.json │ ├── security-logo-color-64px.svg │ ├── stack-schema-map.yaml │ ├── test_cli.bash │ ├── test_hunting_cli.bash │ ├── test_remote_cli.bash │ ├── test_toml.json │ └── version.lock.json ├── exception.py ├── generic_loader.py ├── ghwrap.py ├── integrations.py ├── kbwrap.py ├── main.py ├── misc.py ├── mixins.py ├── ml.py ├── navigator.py ├── packaging.py ├── remote_validation.py ├── rule.py ├── rule_formatter.py ├── rule_loader.py ├── rule_validators.py ├── schemas │ ├── __init__.py │ ├── definitions.py │ ├── registry_package.py │ └── stack_compat.py ├── utils.py └── version_lock.py ├── docs-dev ├── ATT&CK-coverage.md ├── custom-rules-management.md ├── deprecating.md ├── detections-as-code.md ├── developing.md ├── experimental-machine-learning │ ├── DGA.md │ ├── beaconing.md │ ├── experimental-detections.md │ ├── host-risk-score.md │ ├── images │ │ ├── 0a_host_risk_score_card.png │ │ ├── 0b_alert_summary.png │ │ ├── 0c_host_page_risk_column.png │ │ ├── 0d_host_page_hosts_by_risk_tab.png │ │ ├── 0e_host_details_page_risk_overview.png │ │ ├── 0f_host_details_page_hosts_by_risk_tab.png │ │ ├── 1_create_deployment.png │ │ ├── 2_edit_configuration.png │ │ ├── 3_edit_user_settings.png │ │ ├── 4_add_flag.png │ │ ├── 5_save_settings.png │ │ └── 6_confirm_activity_finished.png │ ├── problem-child.md │ ├── readme.md │ ├── url-spoof.md │ └── user-risk-score.md ├── rule-insights.md ├── typosquatting_rule.md └── versioning.md ├── docs ├── docset.yml └── index.md ├── hunting ├── README.md ├── __init__.py ├── __main__.py ├── aws │ ├── docs │ │ ├── ec2_discovery_multi_region_describe_instance_calls.md │ │ ├── ec2_high_instance_deployment_count_attempts.md │ │ ├── ec2_modify_instance_attribute_user_data.md │ │ ├── ec2_suspicious_get_user_password_request.md │ │ ├── iam_assume_role_creation_with_attached_policy.md │ │ ├── iam_customer_managed_policies_attached_to_existing_roles.md │ │ ├── iam_unusual_access_key_usage_for_user.md │ │ ├── iam_unusual_default_aviatrix_role_activity.md │ │ ├── iam_user_activity_with_no_mfa_session.md │ │ ├── iam_user_creation_with_administrator_policy_assigned.md │ │ ├── lambda_add_permissions_for_write_actions_to_function.md │ │ ├── multiple_service_logging_deleted_or_stopped.md │ │ ├── s3_public_bucket_rapid_object_access_attempts.md │ │ ├── secretsmanager_high_frequency_get_secret_value.md │ │ ├── servicequotas_discovery_multi_region_get_service_quota_calls.md │ │ ├── signin_single_factor_console_login_via_federated_session.md │ │ ├── sns_direct_to_phone_messaging_spike.md │ │ ├── sns_email_subscription_by_rare_user.md │ │ ├── sns_topic_created_by_rare_user.md │ │ ├── sns_topic_message_published_by_rare_user.md │ │ ├── ssm_rare_sendcommand_code_execution.md │ │ ├── ssm_sendcommand_api_used_by_ec2_instance.md │ │ ├── ssm_start_remote_session_to_ec2_instance.md │ │ └── sts_suspicious_federated_temporary_credential_request.md │ └── queries │ │ ├── ec2_discovery_multi_region_describe_instance_calls.toml │ │ ├── ec2_high_instance_deployment_count_attempts.toml │ │ ├── ec2_modify_instance_attribute_user_data.toml │ │ ├── ec2_suspicious_get_user_password_request.toml │ │ ├── iam_assume_role_creation_with_attached_policy.toml │ │ ├── iam_customer_managed_policies_attached_to_existing_roles.toml │ │ ├── iam_unusual_access_key_usage_for_user.toml │ │ ├── iam_unusual_default_aviatrix_role_activity.toml │ │ ├── iam_user_activity_with_no_mfa_session.toml │ │ ├── iam_user_creation_with_administrator_policy_assigned.toml │ │ ├── lambda_add_permissions_for_write_actions_to_function.toml │ │ ├── multiple_service_logging_deleted_or_stopped.toml │ │ ├── s3_public_bucket_rapid_object_access_attempts.toml │ │ ├── secretsmanager_high_frequency_get_secret_value.toml │ │ ├── servicequotas_discovery_multi_region_get_service_quota_calls.toml │ │ ├── signin_single_factor_console_login_via_federated_session.toml │ │ ├── sns_direct_to_phone_messaging_spike.toml │ │ ├── sns_email_subscription_by_rare_user.toml │ │ ├── sns_topic_created_by_rare_user.toml │ │ ├── sns_topic_message_published_by_rare_user.toml │ │ ├── ssm_rare_sendcommand_code_execution.toml │ │ ├── ssm_sendcommand_api_used_by_ec2_instance.toml │ │ ├── ssm_start_remote_session_to_ec2_instance.toml │ │ └── sts_suspicious_federated_temporary_credential_request.toml ├── azure │ ├── docs │ │ ├── entra_authentication_attempts_behind_rare_user_agents.md │ │ ├── entra_authentication_attempts_from_abused_hosting_service_providers.md │ │ ├── entra_device_code_authentication_from_unusual_principal.md │ │ ├── entra_excessive_non_interactive_sfa_sign_ins_across_users.md │ │ ├── entra_rare_actions_by_service_principal.md │ │ ├── entra_service_principal_credentials_added_to_rare_app.md │ │ ├── entra_suspicious_odata_client_requests.md │ │ └── entra_unusual_client_app_auth_request_on_behalf_of_user.md │ └── queries │ │ ├── entra_authentication_attempts_behind_rare_user_agents.toml │ │ ├── entra_authentication_attempts_from_abused_hosting_service_providers.toml │ │ ├── entra_device_code_authentication_from_unusual_principal.toml │ │ ├── entra_excessive_non_interactive_sfa_sign_ins_across_users.toml │ │ ├── entra_rare_actions_by_service_principal.toml │ │ ├── entra_service_principal_credentials_added_to_rare_app.toml │ │ ├── entra_suspicious_odata_client_requests.toml │ │ └── entra_unusual_client_app_auth_request_on_behalf_of_user.toml ├── definitions.py ├── index.md ├── index.yml ├── linux │ ├── docs │ │ ├── command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.md │ │ ├── command_and_control_via_unusual_file_downloads_from_source_addresses.md │ │ ├── defense_evasion_via_capitalized_process_execution.md │ │ ├── defense_evasion_via_hidden_process_execution.md │ │ ├── defense_evasion_via_multi_dot_process_execution.md │ │ ├── excessive_ssh_network_activity_unique_destinations.md │ │ ├── execution_uncommon_process_execution_from_suspicious_directory.md │ │ ├── login_activity_by_source_address.md │ │ ├── low_volume_external_network_connections_from_process.md │ │ ├── low_volume_gtfobins_external_network_connections.md │ │ ├── low_volume_modifications_to_critical_system_binaries.md │ │ ├── low_volume_process_injection_syscalls_by_executable.md │ │ ├── persistence_general_kernel_manipulation.md │ │ ├── persistence_reverse_bind_shells.md │ │ ├── persistence_via_cron.md │ │ ├── persistence_via_desktop_bus.md │ │ ├── persistence_via_driver_load_with_low_occurrence_frequency.md │ │ ├── persistence_via_dynamic_linker_hijacking.md │ │ ├── persistence_via_git_hook_pager.md │ │ ├── persistence_via_grub_bootloader.md │ │ ├── persistence_via_initramfs.md │ │ ├── persistence_via_loadable_kernel_modules.md │ │ ├── persistence_via_malicious_docker_container.md │ │ ├── persistence_via_message_of_the_day.md │ │ ├── persistence_via_network_manager_dispatcher_script.md │ │ ├── persistence_via_package_manager.md │ │ ├── persistence_via_pluggable_authentication_module.md │ │ ├── persistence_via_policykit.md │ │ ├── persistence_via_rc_local.md │ │ ├── persistence_via_rpm_dpkg_installer_packages.md │ │ ├── persistence_via_shell_modification_persistence.md │ │ ├── persistence_via_ssh_configurations_and_keys.md │ │ ├── persistence_via_systemd_timers.md │ │ ├── persistence_via_sysv_init.md │ │ ├── persistence_via_udev.md │ │ ├── persistence_via_unusual_system_binary_parent.md │ │ ├── persistence_via_user_group_creation_modification.md │ │ ├── persistence_via_web_shell.md │ │ ├── persistence_via_xdg_autostart_modifications.md │ │ ├── privilege_escalation_via_existing_sudoers.md │ │ ├── privilege_escalation_via_process_capabilities.md │ │ ├── privilege_escalation_via_segmentation_fault_and_buffer_overflow.md │ │ └── privilege_escalation_via_suid_binaries.md │ └── queries │ │ ├── command_and_control_via_network_connections_with_low_occurrence_frequency_for_unique_agents.toml │ │ ├── command_and_control_via_unusual_file_downloads_from_source_addresses.toml │ │ ├── defense_evasion_via_capitalized_process_execution.toml │ │ ├── defense_evasion_via_hidden_process_execution.toml │ │ ├── defense_evasion_via_multi_dot_process_execution.toml │ │ ├── excessive_ssh_network_activity_unique_destinations.toml │ │ ├── execution_uncommon_process_execution_from_suspicious_directory.toml │ │ ├── login_activity_by_source_address.toml │ │ ├── low_volume_external_network_connections_from_process.toml │ │ ├── low_volume_gtfobins_external_network_connections.toml │ │ ├── low_volume_modifications_to_critical_system_binaries.toml │ │ ├── low_volume_process_injection_syscalls_by_executable.toml │ │ ├── persistence_general_kernel_manipulation.toml │ │ ├── persistence_reverse_bind_shells.toml │ │ ├── persistence_via_cron.toml │ │ ├── persistence_via_desktop_bus.toml │ │ ├── persistence_via_driver_load_with_low_occurrence_frequency.toml │ │ ├── persistence_via_dynamic_linker_hijacking.toml │ │ ├── persistence_via_git_hook_pager.toml │ │ ├── persistence_via_grub_bootloader.toml │ │ ├── persistence_via_initramfs.toml │ │ ├── persistence_via_loadable_kernel_modules.toml │ │ ├── persistence_via_malicious_docker_container.toml │ │ ├── persistence_via_message_of_the_day.toml │ │ ├── persistence_via_network_manager_dispatcher_script.toml │ │ ├── persistence_via_package_manager.toml │ │ ├── persistence_via_pluggable_authentication_module.toml │ │ ├── persistence_via_policykit.toml │ │ ├── persistence_via_rc_local.toml │ │ ├── persistence_via_rpm_dpkg_installer_packages.toml │ │ ├── persistence_via_shell_modification_persistence.toml │ │ ├── persistence_via_ssh_configurations_and_keys.toml │ │ ├── persistence_via_systemd_timers.toml │ │ ├── persistence_via_sysv_init.toml │ │ ├── persistence_via_udev.toml │ │ ├── persistence_via_unusual_system_binary_parent.toml │ │ ├── persistence_via_user_group_creation_modification.toml │ │ ├── persistence_via_web_shell.toml │ │ ├── persistence_via_xdg_autostart_modifications.toml │ │ ├── privilege_escalation_via_existing_sudoers.toml │ │ ├── privilege_escalation_via_process_capabilities.toml │ │ ├── privilege_escalation_via_segmentation_fault_and_buffer_overflow.toml │ │ └── privilege_escalation_via_suid_binaries.toml ├── llm │ ├── README.md │ ├── docs │ │ ├── aws_bedrock_dos_resource_exhaustion_detection.md │ │ ├── aws_bedrock_ignore_previous_prompt_detection.md │ │ ├── aws_bedrock_latency_anomalies_detection.md │ │ └── aws_bedrock_sensitive_content_refusal_detection.md │ └── queries │ │ ├── aws_bedrock_dos_resource_exhaustion_detection.toml │ │ ├── aws_bedrock_ignore_previous_prompt_detection.toml │ │ ├── aws_bedrock_latency_anomalies_detection.toml │ │ └── aws_bedrock_sensitive_content_refusal_detection.toml ├── macos │ ├── docs │ │ ├── command_and_control_suspicious_executable_file_creation_via_python.md │ │ ├── credential_access_potential_python_stealer.md │ │ ├── defense_evasion_python_library_load_and_delete.md │ │ ├── defense_evasion_self_deleted_python_script_accessing_sensitive_files.md │ │ ├── defense_evasion_self_deleted_python_script_outbound_network_connection.md │ │ ├── defense_evasion_self_deleting_python_script.md │ │ ├── execution_python_script_drop_and_execute.md │ │ ├── execution_suspicious_executable_file_modification_via_docker.md │ │ ├── execution_suspicious_file_access_via_docker.md │ │ ├── execution_suspicious_python_app_execution_via_streamlit.md │ │ ├── execution_unsigned_or_untrusted_binary_execution_via_python.md │ │ ├── execution_unsigned_or_untrusted_binary_fork_via_python.md │ │ ├── execution_unusual_library_load_via_python.md │ │ ├── persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.md │ │ └── suspicious_network_connections_by_unsigned_macho.md │ └── queries │ │ ├── command_and_control_suspicious_executable_file_creation_via_python.toml │ │ ├── credential_access_potential_python_stealer.toml │ │ ├── defense_evasion_python_library_load_and_delete.toml │ │ ├── defense_evasion_self_deleted_python_script_accessing_sensitive_files.toml │ │ ├── defense_evasion_self_deleted_python_script_outbound_network_connection.toml │ │ ├── defense_evasion_self_deleting_python_script.toml │ │ ├── execution_python_script_drop_and_execute.toml │ │ ├── execution_suspicious_executable_file_modification_via_docker.toml │ │ ├── execution_suspicious_file_access_via_docker.toml │ │ ├── execution_suspicious_python_app_execution_via_streamlit.toml │ │ ├── execution_unsigned_or_untrusted_binary_execution_via_python.toml │ │ ├── execution_unsigned_or_untrusted_binary_fork_via_python.toml │ │ ├── execution_unusual_library_load_via_python.toml │ │ ├── persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml │ │ └── suspicious_network_connections_by_unsigned_macho.toml ├── markdown.py ├── okta │ ├── docs │ │ ├── credential_access_mfa_bombing_push_notications.md │ │ ├── credential_access_rapid_reset_password_requests_for_different_users.md │ │ ├── defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.md │ │ ├── defense_evasion_multiple_application_sso_authentication_repeat_source.md │ │ ├── defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.md │ │ ├── defense_evasion_rare_oauth_access_token_granted_by_application.md │ │ ├── initial_access_higher_than_average_failed_authentication.md │ │ ├── initial_access_impossible_travel_sign_on.md │ │ ├── initial_access_password_spraying_from_repeat_source.md │ │ ├── persistence_multi_factor_push_notification_bombing.md │ │ └── persistence_rare_domain_with_user_authentication.md │ └── queries │ │ ├── credential_access_mfa_bombing_push_notications.toml │ │ ├── credential_access_rapid_reset_password_requests_for_different_users.toml │ │ ├── defense_evasion_failed_oauth_access_token_retrieval_via_public_client_app.toml │ │ ├── defense_evasion_multiple_application_sso_authentication_repeat_source.toml │ │ ├── defense_evasion_multiple_client_sources_reported_for_oauth_access_tokens_granted.toml │ │ ├── defense_evasion_rare_oauth_access_token_granted_by_application.toml │ │ ├── initial_access_higher_than_average_failed_authentication.toml │ │ ├── initial_access_impossible_travel_sign_on.toml │ │ ├── initial_access_password_spraying_from_repeat_source.toml │ │ ├── persistence_multi_factor_push_notification_bombing.toml │ │ └── persistence_rare_domain_with_user_authentication.toml ├── run.py ├── search.py ├── utils.py └── windows │ ├── docs │ ├── createremotethread_by_source_process_with_low_occurrence.md │ ├── detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.md │ ├── detect_masquerading_attempts_as_native_windows_binaries.md │ ├── detect_rare_dll_sideload_by_occurrence.md │ ├── detect_rare_lsass_process_access_attempts.md │ ├── domain_names_queried_via_lolbins_and_with_low_occurence_frequency.md │ ├── drivers_load_with_low_occurrence_frequency.md │ ├── excessive_rdp_network_activity_by_source_host_and_user.md │ ├── excessive_smb_network_activity_by_process_id.md │ ├── executable_file_creation_by_an_unusual_microsoft_binary.md │ ├── execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.md │ ├── execution_via_remote_services_by_client_address.md │ ├── execution_via_startup_with_low_occurrence_frequency.md │ ├── execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.md │ ├── execution_via_windows_scheduled_task_with_low_occurrence_frequency.md │ ├── execution_via_windows_services_with_low_occurrence_frequency.md │ ├── high_count_of_network_connection_over_extended_period_by_process.md │ ├── libraries_loaded_by_svchost_with_low_occurrence_frequency.md │ ├── microsoft_office_child_processes_with_low_occurrence_frequency.md │ ├── network_discovery_via_sensitive_ports_by_unusual_process.md │ ├── pe_file_transfer_via_smb_admin_shares_by_agent.md │ ├── persistence_via_run_key_with_low_occurrence_frequency.md │ ├── persistence_via_startup_with_low_occurrence_frequency.md │ ├── potential_exfiltration_by_process_total_egress_bytes.md │ ├── rundll32_execution_aggregated_by_cmdline.md │ ├── scheduled_task_creation_by_action_via_registry.md │ ├── scheduled_tasks_creation_for_unique_hosts_by_task_command.md │ ├── suspicious_base64_encoded_powershell_commands.md │ ├── suspicious_dns_txt_record_lookups_by_process.md │ ├── unique_windows_services_creation_by_servicefilename.md │ ├── windows_command_and_scripting_interpreter_from_unusual_parent.md │ └── windows_logon_activity_by_source_ip.md │ └── queries │ ├── createremotethread_by_source_process_with_low_occurrence.toml │ ├── detect_dll_hijack_via_masquerading_as_microsoft_native_libraries.toml │ ├── detect_masquerading_attempts_as_native_windows_binaries.toml │ ├── detect_rare_dll_sideload_by_occurrence.toml │ ├── detect_rare_lsass_process_access_attempts.toml │ ├── domain_names_queried_via_lolbins_and_with_low_occurence_frequency.toml │ ├── drivers_load_with_low_occurrence_frequency.toml │ ├── excessive_rdp_network_activity_by_source_host_and_user.toml │ ├── excessive_smb_network_activity_by_process_id.toml │ ├── executable_file_creation_by_an_unusual_microsoft_binary.toml │ ├── execution_via_network_logon_by_occurrence_frequency_by_top_source_ip.toml │ ├── execution_via_remote_services_by_client_address.toml │ ├── execution_via_startup_with_low_occurrence_frequency.toml │ ├── execution_via_windows_management_instrumentation_by_occurrence_frequency_by_unique_agent.toml │ ├── execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml │ ├── execution_via_windows_services_with_low_occurrence_frequency.toml │ ├── high_count_of_network_connection_over_extended_period_by_process.toml │ ├── libraries_loaded_by_svchost_with_low_occurrence_frequency.toml │ ├── microsoft_office_child_processes_with_low_occurrence_frequency.toml │ ├── network_discovery_via_sensitive_ports_by_unusual_process.toml │ ├── pe_file_transfer_via_smb_admin_shares_by_agent.toml │ ├── persistence_via_run_key_with_low_occurrence_frequency.toml │ ├── persistence_via_startup_with_low_occurrence_frequency.toml │ ├── potential_exfiltration_by_process_total_egress_bytes.toml │ ├── rundll32_execution_aggregated_by_cmdline.toml │ ├── scheduled_task_creation_by_action_via_registry.toml │ ├── scheduled_tasks_creation_for_unique_hosts_by_task_command.toml │ ├── suspicious_base64_encoded_powershell_commands.toml │ ├── suspicious_dns_txt_record_lookups_by_process.toml │ ├── unique_windows_services_creation_by_servicefilename.toml │ ├── windows_command_and_scripting_interpreter_from_unusual_parent.toml │ └── windows_logon_activity_by_source_ip.toml ├── lib ├── kibana │ ├── kibana │ │ ├── __init__.py │ │ ├── connector.py │ │ ├── definitions.py │ │ └── resources.py │ └── pyproject.toml └── kql │ ├── kql │ ├── __init__.py │ ├── ast.py │ ├── dsl.py │ ├── eql2kql.py │ ├── errors.py │ ├── evaluator.py │ ├── kql.g │ ├── kql2eql.py │ ├── optimizer.py │ └── parser.py │ └── pyproject.toml ├── pyproject.toml ├── rules ├── README.md ├── _deprecated │ ├── apm_null_user_agent.toml │ ├── command_and_control_connection_attempt_by_non_ssh_root_session.toml │ ├── command_and_control_dns_directly_to_the_internet.toml │ ├── command_and_control_ftp_file_transfer_protocol_activity_to_the_internet.toml │ ├── command_and_control_irc_internet_relay_chat_protocol_activity_to_the_internet.toml │ ├── command_and_control_linux_iodine_activity.toml │ ├── command_and_control_linux_port_knocking_reverse_connection.toml │ ├── command_and_control_port_8000_activity_to_the_internet.toml │ ├── command_and_control_pptp_point_to_point_tunneling_protocol_activity.toml │ ├── command_and_control_proxy_port_activity_to_the_internet.toml │ ├── command_and_control_smtp_to_the_internet.toml │ ├── command_and_control_sql_server_port_activity_to_the_internet.toml │ ├── command_and_control_ssh_secure_shell_from_the_internet.toml │ ├── command_and_control_ssh_secure_shell_to_the_internet.toml │ ├── command_and_control_tor_activity_to_the_internet.toml │ ├── container_workload_protection.toml │ ├── credential_access_aws_creds_search_inside_a_container.toml │ ├── credential_access_collection_sensitive_files_compression_inside_a_container.toml │ ├── credential_access_microsoft_365_potential_password_spraying_attack.toml │ ├── credential_access_potential_linux_ssh_bruteforce_root.toml │ ├── credential_access_sensitive_keys_or_passwords_search_inside_a_container.toml │ ├── credential_access_tcpdump_activity.toml │ ├── defense_evasion_attempt_to_disable_iptables_or_firewall.toml │ ├── defense_evasion_base64_encoding_or_decoding_activity.toml │ ├── defense_evasion_code_injection_conhost.toml │ ├── defense_evasion_execution_via_trusted_developer_utilities.toml │ ├── defense_evasion_hex_encoding_or_decoding_activity.toml │ ├── defense_evasion_ld_preload_env_variable_process_injection.toml │ ├── defense_evasion_ld_preload_shared_object_modified_inside_a_container.toml │ ├── defense_evasion_mshta_making_network_connections.toml │ ├── defense_evasion_potential_processherpaderping.toml │ ├── defense_evasion_whitespace_padding_in_command_line.toml │ ├── discovery_file_dir_discovery.toml │ ├── discovery_process_discovery_via_tasklist_command.toml │ ├── discovery_query_registry_via_reg.toml │ ├── discovery_suspicious_network_tool_launched_inside_a_container.toml │ ├── discovery_whoami_commmand.toml │ ├── execution_apt_binary.toml │ ├── execution_awk_binary_shell.toml │ ├── execution_busybox_binary.toml │ ├── execution_c89_c99_binary.toml │ ├── execution_command_shell_started_by_powershell.toml │ ├── execution_container_management_binary_launched_inside_a_container.toml │ ├── execution_cpulimit_binary.toml │ ├── execution_crash_binary.toml │ ├── execution_env_binary.toml │ ├── execution_expect_binary.toml │ ├── execution_file_made_executable_via_chmod_inside_a_container.toml │ ├── execution_find_binary.toml │ ├── execution_flock_binary.toml │ ├── execution_gcc_binary.toml │ ├── execution_interactive_exec_to_container.toml │ ├── execution_interactive_shell_spawned_from_inside_a_container.toml │ ├── execution_linux_process_started_in_temp_directory.toml │ ├── execution_mysql_binary.toml │ ├── execution_netcat_listener_established_inside_a_container.toml │ ├── execution_reverse_shell_via_named_pipe.toml │ ├── execution_shell_suspicious_parent_child_revshell_linux.toml │ ├── execution_ssh_binary.toml │ ├── execution_suspicious_jar_child_process.toml │ ├── execution_vi_binary.toml │ ├── execution_via_net_com_assemblies.toml │ ├── exfiltration_rds_snapshot_export.toml │ ├── impact_potential_linux_ransomware_file_encryption.toml │ ├── initial_access_cross_site_scripting.toml │ ├── initial_access_login_failures.toml │ ├── initial_access_login_location.toml │ ├── initial_access_login_sessions.toml │ ├── initial_access_login_time.toml │ ├── initial_access_rdp_remote_desktop_protocol_to_the_internet.toml │ ├── initial_access_ssh_connection_established_inside_a_container.toml │ ├── lateral_movement_malicious_remote_file_creation.toml │ ├── lateral_movement_remote_file_creation_in_sensitive_directory.toml │ ├── lateral_movement_ssh_process_launched_inside_a_container.toml │ ├── linux_mknod_activity.toml │ ├── linux_nmap_activity.toml │ ├── linux_socat_activity.toml │ ├── persistence_cron_jobs_creation_and_runtime.toml │ ├── persistence_google_workspace_user_group_access_modified_to_allow_external_access.toml │ ├── persistence_kernel_module_activity.toml │ ├── persistence_shell_activity_by_web_server.toml │ ├── persistence_ssh_authorized_keys_modification_inside_a_container.toml │ ├── privilege_escalation_debugfs_launched_inside_a_privileged_container.toml │ ├── privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml │ ├── privilege_escalation_krbrelayup_suspicious_logon.toml │ ├── privilege_escalation_linux_strace_activity.toml │ ├── privilege_escalation_mount_launched_inside_a_privileged_container.toml │ ├── privilege_escalation_potential_container_escape_via_modified_notify_on_release_file.toml │ ├── privilege_escalation_potential_container_escape_via_modified_release_agent_file.toml │ ├── privilege_escalation_printspooler_malicious_driver_file_changes.toml │ ├── privilege_escalation_printspooler_malicious_registry_modification.toml │ ├── privilege_escalation_setgid_bit_set_via_chmod.toml │ ├── threat_intel_filebeat7x.toml │ ├── threat_intel_filebeat8x.toml │ └── threat_intel_fleet_integrations.toml ├── apm │ ├── apm_403_response_to_a_post.toml │ ├── apm_405_response_method_not_allowed.toml │ └── apm_sqlmap_user_agent.toml ├── cross-platform │ ├── command_and_control_google_drive_malicious_file_download.toml │ ├── command_and_control_non_standard_ssh_port.toml │ ├── credential_access_cookies_chromium_browsers_debugging.toml │ ├── credential_access_forced_authentication_pipes.toml │ ├── defense_evasion_agent_spoofing_mismatched_id.toml │ ├── defense_evasion_agent_spoofing_multiple_hosts.toml │ ├── defense_evasion_deleting_websvr_access_logs.toml │ ├── defense_evasion_deletion_of_bash_command_line_history.toml │ ├── defense_evasion_elastic_agent_service_terminated.toml │ ├── defense_evasion_encoding_rot13_python_script.toml │ ├── defense_evasion_masquerading_space_after_filename.toml │ ├── defense_evasion_timestomp_touch.toml │ ├── discovery_security_software_grep.toml │ ├── discovery_virtual_machine_fingerprinting_grep.toml │ ├── execution_aws_ssm_sendcommand_with_command_parameters.toml │ ├── execution_pentest_eggshell_remote_admin_tool.toml │ ├── execution_potential_widespread_malware_infection.toml │ ├── execution_revershell_via_shell_cmd.toml │ ├── execution_suspicious_java_netcon_childproc.toml │ ├── guided_onboarding_sample_rule.toml │ ├── impact_hosts_file_modified.toml │ ├── initial_access_azure_o365_with_network_alert.toml │ ├── initial_access_zoom_meeting_with_no_passcode.toml │ ├── multiple_alerts_different_tactics_host.toml │ ├── multiple_alerts_involving_user.toml │ ├── persistence_credential_access_modify_auth_module_or_config.toml │ ├── persistence_shell_profile_modification.toml │ ├── persistence_ssh_authorized_keys_modification.toml │ ├── privilege_escalation_echo_nopasswd_sudoers.toml │ ├── privilege_escalation_setuid_setgid_bit_set_via_chmod.toml │ ├── privilege_escalation_sudo_buffer_overflow.toml │ └── privilege_escalation_sudoers_file_mod.toml ├── integrations │ ├── aws │ │ ├── NOTICE.txt │ │ ├── collection_cloudtrail_logging_created.toml │ │ ├── collection_s3_unauthenticated_bucket_access_by_rare_source.toml │ │ ├── credential_access_aws_getpassword_for_ec2_instance.toml │ │ ├── credential_access_aws_iam_assume_role_brute_force.toml │ │ ├── credential_access_iam_compromisedkeyquarantine_policy_attached_to_user.toml │ │ ├── credential_access_iam_user_addition_to_group.toml │ │ ├── credential_access_new_terms_secretsmanager_getsecretvalue.toml │ │ ├── credential_access_rapid_secret_retrieval_attempts_from_secretsmanager.toml │ │ ├── credential_access_retrieve_secure_string_parameters_via_ssm.toml │ │ ├── credential_access_root_console_failure_brute_force.toml │ │ ├── defense_evasion_cloudtrail_logging_deleted.toml │ │ ├── defense_evasion_cloudtrail_logging_suspended.toml │ │ ├── defense_evasion_cloudwatch_alarm_deletion.toml │ │ ├── defense_evasion_config_service_rule_deletion.toml │ │ ├── defense_evasion_configuration_recorder_stopped.toml │ │ ├── defense_evasion_ec2_flow_log_deletion.toml │ │ ├── defense_evasion_ec2_network_acl_deletion.toml │ │ ├── defense_evasion_elasticache_security_group_creation.toml │ │ ├── defense_evasion_elasticache_security_group_modified_or_deleted.toml │ │ ├── defense_evasion_guardduty_detector_deletion.toml │ │ ├── defense_evasion_rds_instance_restored.toml │ │ ├── defense_evasion_route53_dns_query_resolver_config_deletion.toml │ │ ├── defense_evasion_s3_bucket_configuration_deletion.toml │ │ ├── defense_evasion_s3_bucket_lifecycle_expiration_added.toml │ │ ├── defense_evasion_s3_bucket_server_access_logging_disabled.toml │ │ ├── defense_evasion_sqs_purge_queue.toml │ │ ├── defense_evasion_sts_get_federation_token.toml │ │ ├── defense_evasion_vpc_security_group_ingress_rule_added_for_remote_connections.toml │ │ ├── defense_evasion_waf_acl_deletion.toml │ │ ├── defense_evasion_waf_rule_or_rule_group_deletion.toml │ │ ├── discovery_ec2_deprecated_ami_discovery.toml │ │ ├── discovery_ec2_multi_region_describe_instances.toml │ │ ├── discovery_ec2_multiple_discovery_api_calls_via_cli.toml │ │ ├── discovery_ec2_userdata_request_for_ec2_instance.toml │ │ ├── discovery_new_terms_sts_getcalleridentity.toml │ │ ├── discovery_servicequotas_multi_region_service_quota_requests.toml │ │ ├── execution_lambda_external_layer_added_to_function.toml │ │ ├── execution_new_terms_cloudformation_createstack.toml │ │ ├── execution_ssm_command_document_created_by_rare_user.toml │ │ ├── execution_ssm_sendcommand_by_rare_user.toml │ │ ├── exfiltration_dynamodb_scan_by_unusual_user.toml │ │ ├── exfiltration_dynamodb_table_exported_to_s3.toml │ │ ├── exfiltration_ec2_ami_shared_with_separate_account.toml │ │ ├── exfiltration_ec2_ebs_snapshot_shared_with_another_account.toml │ │ ├── exfiltration_ec2_full_network_packet_capture_detected.toml │ │ ├── exfiltration_ec2_snapshot_change_activity.toml │ │ ├── exfiltration_ec2_vm_export_failure.toml │ │ ├── exfiltration_rds_snapshot_export.toml │ │ ├── exfiltration_rds_snapshot_shared_with_another_account.toml │ │ ├── exfiltration_s3_bucket_policy_added_for_external_account_access.toml │ │ ├── exfiltration_s3_bucket_replicated_to_external_account.toml │ │ ├── exfiltration_sns_email_subscription_by_rare_user.toml │ │ ├── impact_aws_eventbridge_rule_disabled_or_deleted.toml │ │ ├── impact_aws_s3_bucket_enumeration_or_brute_force.toml │ │ ├── impact_cloudtrail_logging_updated.toml │ │ ├── impact_cloudwatch_log_group_deletion.toml │ │ ├── impact_cloudwatch_log_stream_deletion.toml │ │ ├── impact_ec2_disable_ebs_encryption.toml │ │ ├── impact_ec2_ebs_snapshot_access_removed.toml │ │ ├── impact_efs_filesystem_or_mount_deleted.toml │ │ ├── impact_iam_deactivate_mfa_device.toml │ │ ├── impact_iam_group_deletion.toml │ │ ├── impact_kms_cmk_disabled_or_scheduled_for_deletion.toml │ │ ├── impact_rds_group_deletion.toml │ │ ├── impact_rds_instance_cluster_deletion.toml │ │ ├── impact_rds_instance_cluster_deletion_protection_disabled.toml │ │ ├── impact_rds_instance_cluster_stoppage.toml │ │ ├── impact_rds_snapshot_deleted.toml │ │ ├── impact_s3_bucket_object_uploaded_with_ransom_extension.toml │ │ ├── impact_s3_excessive_object_encryption_with_sse_c.toml │ │ ├── impact_s3_object_encryption_with_external_key.toml │ │ ├── impact_s3_object_versioning_disabled.toml │ │ ├── impact_s3_static_site_js_file_uploaded.toml │ │ ├── impact_s3_unusual_object_encryption_with_sse_c.toml │ │ ├── initial_access_console_login_root.toml │ │ ├── initial_access_iam_session_token_used_from_multiple_addresses.toml │ │ ├── initial_access_kali_user_agent_detected_with_aws_cli.toml │ │ ├── initial_access_password_recovery.toml │ │ ├── initial_access_signin_console_login_no_mfa.toml │ │ ├── lateral_movement_aws_ssm_start_session_to_ec2_instance.toml │ │ ├── lateral_movement_ec2_instance_connect_ssh_public_key_uploaded.toml │ │ ├── lateral_movement_ec2_instance_console_login.toml │ │ ├── lateral_movement_sns_topic_message_publish_by_rare_user.toml │ │ ├── ml_cloudtrail_error_message_spike.toml │ │ ├── ml_cloudtrail_rare_error_code.toml │ │ ├── ml_cloudtrail_rare_method_by_city.toml │ │ ├── ml_cloudtrail_rare_method_by_country.toml │ │ ├── ml_cloudtrail_rare_method_by_user.toml │ │ ├── persistence_aws_attempt_to_register_virtual_mfa_device.toml │ │ ├── persistence_ec2_network_acl_creation.toml │ │ ├── persistence_ec2_route_table_modified_or_deleted.toml │ │ ├── persistence_ec2_security_group_configuration_change_detection.toml │ │ ├── persistence_iam_api_calls_via_user_session_token.toml │ │ ├── persistence_iam_create_login_profile_for_root.toml │ │ ├── persistence_iam_create_user_via_assumed_role_on_ec2_instance.toml │ │ ├── persistence_iam_group_creation.toml │ │ ├── persistence_iam_roles_anywhere_profile_created.toml │ │ ├── persistence_iam_roles_anywhere_trusted_anchor_created_with_external_ca.toml │ │ ├── persistence_iam_user_created_access_keys_for_another_user.toml │ │ ├── persistence_lambda_backdoor_invoke_function_for_any_principal.toml │ │ ├── persistence_rds_cluster_creation.toml │ │ ├── persistence_rds_db_instance_password_modified.toml │ │ ├── persistence_rds_group_creation.toml │ │ ├── persistence_rds_instance_creation.toml │ │ ├── persistence_rds_instance_made_public.toml │ │ ├── persistence_redshift_instance_creation.toml │ │ ├── persistence_route_53_domain_transfer_lock_disabled.toml │ │ ├── persistence_route_53_domain_transferred_to_another_account.toml │ │ ├── persistence_route_53_hosted_zone_associated_with_a_vpc.toml │ │ ├── persistence_route_table_created.toml │ │ ├── persistence_sts_assume_role_with_new_mfa.toml │ │ ├── privilege_escalation_iam_administratoraccess_policy_attached_to_group.toml │ │ ├── privilege_escalation_iam_administratoraccess_policy_attached_to_role.toml │ │ ├── privilege_escalation_iam_administratoraccess_policy_attached_to_user.toml │ │ ├── privilege_escalation_iam_customer_managed_policy_attached_to_role.toml │ │ ├── privilege_escalation_iam_saml_provider_updated.toml │ │ ├── privilege_escalation_iam_update_assume_role_policy.toml │ │ ├── privilege_escalation_role_assumption_by_service.toml │ │ ├── privilege_escalation_role_assumption_by_user.toml │ │ ├── privilege_escalation_root_login_without_mfa.toml │ │ ├── privilege_escalation_sts_assume_root_from_rare_user_and_member_account.toml │ │ ├── privilege_escalation_sts_getsessiontoken_abuse.toml │ │ ├── privilege_escalation_sts_role_chaining.toml │ │ └── resource_development_sns_topic_created_by_rare_user.toml │ ├── aws_bedrock │ │ ├── aws_bedrock_execution_without_guardrails.toml │ │ ├── aws_bedrock_guardrails_multiple_violations_by_single_user.toml │ │ ├── aws_bedrock_guardrails_multiple_violations_in_single_request.toml │ │ ├── aws_bedrock_high_confidence_misconduct_blocks_detected.toml │ │ ├── aws_bedrock_high_resource_consumption_detection.toml │ │ ├── aws_bedrock_multiple_attempts_to_use_denied_models_by_user.toml │ │ ├── aws_bedrock_multiple_sensitive_information_policy_blocks_detected.toml │ │ ├── aws_bedrock_multiple_topic_policy_blocks_detected.toml │ │ ├── aws_bedrock_multiple_validation_exception_errors_by_single_user.toml │ │ └── aws_bedrock_multiple_word_policy_blocks_detected.toml │ ├── azure │ │ ├── collection_entra_auth_broker_sharepoint_access_for_user_principal.toml │ │ ├── collection_graph_email_access_by_unusual_public_client_via_graph.toml │ │ ├── collection_update_event_hub_auth_rule.toml │ │ ├── credential_access_azure_entra_suspicious_signin.toml │ │ ├── credential_access_azure_entra_totp_brute_force_attempts.toml │ │ ├── credential_access_azure_full_network_packet_capture_detected.toml │ │ ├── credential_access_entra_id_device_code_auth_with_broker_client.toml │ │ ├── credential_access_entra_password_spraying_non_interactive_sfa.toml │ │ ├── credential_access_entra_signin_brute_force_microsoft_365.toml │ │ ├── credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml │ │ ├── credential_access_first_time_seen_device_code_auth.toml │ │ ├── credential_access_key_vault_modified.toml │ │ ├── credential_access_storage_account_key_regenerated.toml │ │ ├── defense_evasion_azure_application_credential_modification.toml │ │ ├── defense_evasion_azure_automation_runbook_deleted.toml │ │ ├── defense_evasion_azure_blob_permissions_modified.toml │ │ ├── defense_evasion_azure_diagnostic_settings_deletion.toml │ │ ├── defense_evasion_entra_suspicious_auth_broker_activity_on_behalf_of_principal_user.toml │ │ ├── defense_evasion_event_hub_deletion.toml │ │ ├── defense_evasion_firewall_policy_deletion.toml │ │ ├── defense_evasion_frontdoor_firewall_policy_deletion.toml │ │ ├── defense_evasion_kubernetes_events_deleted.toml │ │ ├── defense_evasion_network_watcher_deletion.toml │ │ ├── defense_evasion_suppression_rule_created.toml │ │ ├── discovery_blob_container_access_mod.toml │ │ ├── discovery_bloodhound_user_agents_detected.toml │ │ ├── execution_command_virtual_machine.toml │ │ ├── impact_kubernetes_pod_deleted.toml │ │ ├── impact_resource_group_deletion.toml │ │ ├── impact_virtual_network_device_modified.toml │ │ ├── initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml │ │ ├── initial_access_azure_active_directory_powershell_signin.toml │ │ ├── initial_access_entra_graph_single_session_from_multiple_addresses.toml │ │ ├── initial_access_entra_id_high_risk_signin.toml │ │ ├── initial_access_entra_id_protection_sign_in_risk_detected.toml │ │ ├── initial_access_entra_id_protection_user_risk_detected.toml │ │ ├── initial_access_entra_id_user_reported_risk.toml │ │ ├── initial_access_entra_illicit_consent_grant_via_registered_application.toml │ │ ├── initial_access_entra_oauth_phishing_via_vscode_client.toml │ │ ├── initial_access_entra_protection_multi_azure_identity_protection_alerts.toml │ │ ├── initial_access_entra_rare_app_id_for_principal_auth.toml │ │ ├── initial_access_entra_rare_authentication_requirement_for_principal_user.toml │ │ ├── initial_access_external_guest_user_invite.toml │ │ ├── initial_access_graph_first_occurrence_of_client_request.toml │ │ ├── persistence_azure_automation_account_created.toml │ │ ├── persistence_azure_automation_runbook_created_or_modified.toml │ │ ├── persistence_azure_automation_webhook_created.toml │ │ ├── persistence_azure_global_administrator_role_assigned.toml │ │ ├── persistence_azure_pim_user_added_global_admin.toml │ │ ├── persistence_azure_privileged_identity_management_role_modified.toml │ │ ├── persistence_azure_service_principal_credentials_added.toml │ │ ├── persistence_entra_conditional_access_policy_modified.toml │ │ ├── persistence_entra_service_principal_created.toml │ │ ├── persistence_mfa_disabled_for_azure_user.toml │ │ ├── persistence_user_added_as_owner_for_azure_application.toml │ │ ├── persistence_user_added_as_owner_for_azure_service_principal.toml │ │ ├── privilege_escalation_azure_kubernetes_rolebinding_created.toml │ │ └── privilege_escalation_entra_id_elevate_to_user_administrator_access.toml │ ├── azure_openai │ │ ├── azure_openai_denial_of_ml_service_detection.toml │ │ ├── azure_openai_insecure_output_handling_detection.toml │ │ └── azure_openai_model_theft_detection.toml │ ├── beaconing │ │ ├── command_and_control_beaconing.toml │ │ └── command_and_control_beaconing_high_confidence.toml │ ├── cyberarkpas │ │ ├── privilege_escalation_cyberarkpas_error_audit_event_promotion.toml │ │ └── privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml │ ├── ded │ │ ├── exfiltration_ml_high_bytes_destination_geo_country_iso_code.toml │ │ ├── exfiltration_ml_high_bytes_destination_ip.toml │ │ ├── exfiltration_ml_high_bytes_destination_port.toml │ │ ├── exfiltration_ml_high_bytes_destination_region_name.toml │ │ ├── exfiltration_ml_high_bytes_written_to_external_device.toml │ │ ├── exfiltration_ml_high_bytes_written_to_external_device_airdrop.toml │ │ └── exfiltration_ml_rare_process_writing_to_external_device.toml │ ├── dga │ │ ├── command_and_control_ml_dga_activity_using_sunburst_domain.toml │ │ ├── command_and_control_ml_dga_high_sum_probability.toml │ │ ├── command_and_control_ml_dns_request_high_dga_probability.toml │ │ └── command_and_control_ml_dns_request_predicted_to_be_a_dga_domain.toml │ ├── endpoint │ │ ├── defense_evasion_elastic_memory_threat_detected.toml │ │ ├── defense_evasion_elastic_memory_threat_prevented.toml │ │ ├── elastic_endpoint_security.toml │ │ ├── elastic_endpoint_security_behavior_detected.toml │ │ ├── elastic_endpoint_security_behavior_prevented.toml │ │ ├── execution_elastic_malicious_file_detected.toml │ │ ├── execution_elastic_malicious_file_prevented.toml │ │ ├── impact_elastic_ransomware_detected.toml │ │ └── impact_elastic_ransomware_prevented.toml │ ├── fim │ │ └── persistence_suspicious_file_modifications.toml │ ├── gcp │ │ ├── collection_gcp_pub_sub_subscription_creation.toml │ │ ├── collection_gcp_pub_sub_topic_creation.toml │ │ ├── defense_evasion_gcp_firewall_rule_created.toml │ │ ├── defense_evasion_gcp_firewall_rule_deleted.toml │ │ ├── defense_evasion_gcp_firewall_rule_modified.toml │ │ ├── defense_evasion_gcp_logging_bucket_deletion.toml │ │ ├── defense_evasion_gcp_logging_sink_deletion.toml │ │ ├── defense_evasion_gcp_pub_sub_subscription_deletion.toml │ │ ├── defense_evasion_gcp_pub_sub_topic_deletion.toml │ │ ├── defense_evasion_gcp_storage_bucket_configuration_modified.toml │ │ ├── defense_evasion_gcp_storage_bucket_permissions_modified.toml │ │ ├── defense_evasion_gcp_virtual_private_cloud_network_deleted.toml │ │ ├── defense_evasion_gcp_virtual_private_cloud_route_created.toml │ │ ├── defense_evasion_gcp_virtual_private_cloud_route_deleted.toml │ │ ├── exfiltration_gcp_logging_sink_modification.toml │ │ ├── impact_gcp_iam_role_deletion.toml │ │ ├── impact_gcp_service_account_deleted.toml │ │ ├── impact_gcp_service_account_disabled.toml │ │ ├── impact_gcp_storage_bucket_deleted.toml │ │ ├── initial_access_gcp_iam_custom_role_creation.toml │ │ ├── persistence_gcp_iam_service_account_key_deletion.toml │ │ ├── persistence_gcp_key_created_for_service_account.toml │ │ └── persistence_gcp_service_account_created.toml │ ├── github │ │ ├── defense_evasion_github_protected_branch_settings_changed.toml │ │ ├── execution_github_app_deleted.toml │ │ ├── execution_github_high_number_of_cloned_repos_from_pat.toml │ │ ├── execution_github_ueba_multiple_behavior_alerts_from_account.toml │ │ ├── execution_new_github_app_installed.toml │ │ ├── impact_github_repository_deleted.toml │ │ ├── persistence_github_org_owner_added.toml │ │ └── persistence_organization_owner_role_granted.toml │ ├── google_workspace │ │ ├── collection_google_drive_ownership_transferred_via_google_workspace.toml │ │ ├── collection_google_workspace_custom_gmail_route_created_or_modified.toml │ │ ├── credential_access_google_workspace_drive_encryption_key_accessed_by_anonymous_user.toml │ │ ├── defense_evasion_application_removed_from_blocklist_in_google_workspace.toml │ │ ├── defense_evasion_domain_added_to_google_workspace_trusted_domains.toml │ │ ├── defense_evasion_google_workspace_bitlocker_setting_disabled.toml │ │ ├── defense_evasion_google_workspace_new_oauth_login_from_third_party_application.toml │ │ ├── defense_evasion_restrictions_for_marketplace_modified_to_allow_any_app.toml │ │ ├── google_workspace_alert_center_promotion.toml │ │ ├── impact_google_workspace_admin_role_deletion.toml │ │ ├── impact_google_workspace_mfa_enforcement_disabled.toml │ │ ├── initial_access_external_user_added_to_google_workspace_group.toml │ │ ├── initial_access_google_workspace_suspended_user_renewed.toml │ │ ├── initial_access_object_copied_to_external_drive_with_app_consent.toml │ │ ├── persistence_application_added_to_google_workspace_domain.toml │ │ ├── persistence_google_workspace_2sv_policy_disabled.toml │ │ ├── persistence_google_workspace_admin_role_assigned_to_user.toml │ │ ├── persistence_google_workspace_api_access_granted_via_dwd.toml │ │ ├── persistence_google_workspace_custom_admin_role_created.toml │ │ ├── persistence_google_workspace_password_policy_modified.toml │ │ ├── persistence_google_workspace_role_modified.toml │ │ ├── persistence_google_workspace_user_organizational_unit_changed.toml │ │ └── persistence_mfa_disabled_for_google_workspace_organization.toml │ ├── kubernetes │ │ ├── discovery_denied_service_account_request.toml │ │ ├── discovery_suspicious_self_subject_review.toml │ │ ├── execution_user_exec_to_pod.toml │ │ ├── initial_access_anonymous_request_authorized.toml │ │ ├── persistence_exposed_service_created_with_type_nodeport.toml │ │ ├── privilege_escalation_container_created_with_excessive_linux_capabilities.toml │ │ ├── privilege_escalation_pod_created_with_hostipc.toml │ │ ├── privilege_escalation_pod_created_with_hostnetwork.toml │ │ ├── privilege_escalation_pod_created_with_hostpid.toml │ │ ├── privilege_escalation_pod_created_with_sensitive_hostpath_volume.toml │ │ ├── privilege_escalation_privileged_pod_created.toml │ │ └── privilege_escalation_suspicious_assignment_of_controller_service_account.toml │ ├── lmd │ │ ├── lateral_movement_ml_high_mean_rdp_process_args.toml │ │ ├── lateral_movement_ml_high_mean_rdp_session_duration.toml │ │ ├── lateral_movement_ml_high_remote_file_size.toml │ │ ├── lateral_movement_ml_high_variance_rdp_session_duration.toml │ │ ├── lateral_movement_ml_rare_remote_file_directory.toml │ │ ├── lateral_movement_ml_rare_remote_file_extension.toml │ │ ├── lateral_movement_ml_spike_in_connections_from_a_source_ip.toml │ │ ├── lateral_movement_ml_spike_in_connections_to_a_destination_ip.toml │ │ ├── lateral_movement_ml_spike_in_rdp_processes.toml │ │ ├── lateral_movement_ml_spike_in_remote_file_transfers.toml │ │ └── lateral_movement_ml_unusual_time_for_an_rdp_session.toml │ ├── o365 │ │ ├── collection_microsoft_365_new_inbox_rule.toml │ │ ├── collection_onedrive_excessive_file_downloads.toml │ │ ├── credential_access_antra_id_device_reg_via_oauth_redirection.toml │ │ ├── credential_access_microsoft_365_excessive_account_lockouts.toml │ │ ├── credential_access_microsoft_365_potential_user_account_brute_force.toml │ │ ├── credential_access_user_excessive_sso_logon_errors.toml │ │ ├── defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml │ │ ├── defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml │ │ ├── defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml │ │ ├── defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml │ │ ├── defense_evasion_microsoft_365_mailboxauditbypassassociation.toml │ │ ├── defense_evasion_microsoft_365_new_inbox_rule_delete_or_move.toml │ │ ├── defense_evasion_microsoft_365_susp_oauth2_authorization.toml │ │ ├── exfiltration_microsoft_365_exchange_transport_rule_creation.toml │ │ ├── exfiltration_microsoft_365_exchange_transport_rule_mod.toml │ │ ├── exfiltration_microsoft_365_mass_download_by_a_single_user.toml │ │ ├── impact_microsoft_365_potential_ransomware_activity.toml │ │ ├── impact_microsoft_365_unusual_volume_of_file_deletion.toml │ │ ├── initial_access_microsoft_365_abnormal_clientappid.toml │ │ ├── initial_access_microsoft_365_entra_oauth_phishing_via_vscode_client.toml │ │ ├── initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml │ │ ├── initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml │ │ ├── initial_access_microsoft_365_exchange_safelinks_disabled.toml │ │ ├── initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml │ │ ├── initial_access_microsoft_365_impossible_travel_activity.toml │ │ ├── initial_access_microsoft_365_impossible_travel_portal_logins.toml │ │ ├── initial_access_microsoft_365_portal_login_from_rare_location.toml │ │ ├── initial_access_microsoft_365_user_restricted_from_sending_email.toml │ │ ├── initial_access_o365_user_reported_phish_malware.toml │ │ ├── lateral_movement_malware_uploaded_onedrive.toml │ │ ├── lateral_movement_malware_uploaded_sharepoint.toml │ │ ├── persistence_exchange_suspicious_mailbox_permission_delegation.toml │ │ ├── persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml │ │ ├── persistence_microsoft_365_exchange_management_role_assignment.toml │ │ ├── persistence_microsoft_365_global_administrator_role_assign.toml │ │ ├── persistence_microsoft_365_teams_custom_app_interaction_allowed.toml │ │ ├── persistence_microsoft_365_teams_external_access_enabled.toml │ │ ├── persistence_microsoft_365_teams_guest_access_enabled.toml │ │ └── privilege_escalation_new_or_modified_federation_domain.toml │ ├── okta │ │ ├── credential_access_attempted_bypass_of_okta_mfa.toml │ │ ├── credential_access_attempts_to_brute_force_okta_user_account.toml │ │ ├── credential_access_multiple_auth_events_from_single_device_behind_proxy.toml │ │ ├── credential_access_multiple_device_token_hashes_for_single_okta_session.toml │ │ ├── credential_access_okta_authentication_for_multiple_users_from_single_source.toml │ │ ├── credential_access_okta_authentication_for_multiple_users_with_the_same_device_token_hash.toml │ │ ├── credential_access_okta_brute_force_or_password_spraying.toml │ │ ├── credential_access_okta_mfa_bombing_via_push_notifications.toml │ │ ├── credential_access_okta_multiple_device_token_hashes_for_single_user.toml │ │ ├── credential_access_okta_potentially_successful_okta_bombing_via_push_notifications.toml │ │ ├── credential_access_user_impersonation_access.toml │ │ ├── defense_evasion_attempt_to_deactivate_okta_network_zone.toml │ │ ├── defense_evasion_attempt_to_delete_okta_network_zone.toml │ │ ├── defense_evasion_first_occurence_public_app_client_credential_token_exchange.toml │ │ ├── defense_evasion_okta_attempt_to_deactivate_okta_policy.toml │ │ ├── defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml │ │ ├── defense_evasion_okta_attempt_to_delete_okta_policy.toml │ │ ├── defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml │ │ ├── defense_evasion_okta_attempt_to_modify_okta_network_zone.toml │ │ ├── defense_evasion_okta_attempt_to_modify_okta_policy.toml │ │ ├── defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml │ │ ├── defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml │ │ ├── impact_attempt_to_revoke_okta_api_token.toml │ │ ├── impact_okta_attempt_to_deactivate_okta_application.toml │ │ ├── impact_okta_attempt_to_delete_okta_application.toml │ │ ├── impact_okta_attempt_to_modify_okta_application.toml │ │ ├── impact_possible_okta_dos_attack.toml │ │ ├── initial_access_first_occurrence_user_session_started_via_proxy.toml │ │ ├── initial_access_new_authentication_behavior_detection.toml │ │ ├── initial_access_okta_fastpass_phishing.toml │ │ ├── initial_access_okta_user_attempted_unauthorized_access.toml │ │ ├── initial_access_okta_user_sessions_started_from_different_geolocations.toml │ │ ├── initial_access_sign_in_events_via_third_party_idp.toml │ │ ├── initial_access_successful_application_sso_from_unknown_client_device.toml │ │ ├── initial_access_suspicious_activity_reported_by_okta_user.toml │ │ ├── lateral_movement_multiple_sessions_for_single_user.toml │ │ ├── okta_threatinsight_threat_suspected_promotion.toml │ │ ├── persistence_administrator_privileges_assigned_to_okta_group.toml │ │ ├── persistence_administrator_role_assigned_to_okta_user.toml │ │ ├── persistence_attempt_to_create_okta_api_token.toml │ │ ├── persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml │ │ ├── persistence_mfa_deactivation_with_no_reactivation.toml │ │ ├── persistence_new_idp_successfully_added_by_admin.toml │ │ ├── persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml │ │ └── persistence_stolen_credentials_used_to_login_to_okta_account_after_mfa_reset.toml │ ├── pad │ │ ├── privileged_access_ml_linux_high_count_privileged_process_events_by_user.toml │ │ ├── privileged_access_ml_linux_high_median_process_command_line_entropy_by_user.toml │ │ ├── privileged_access_ml_linux_rare_process_executed_by_user.toml │ │ ├── privileged_access_ml_okta_high_sum_concurrent_sessions_by_user.toml │ │ ├── privileged_access_ml_okta_rare_host_name_by_user.toml │ │ ├── privileged_access_ml_okta_rare_region_name_by_user.toml │ │ ├── privileged_access_ml_okta_rare_source_ip_by_user.toml │ │ ├── privileged_access_ml_okta_spike_in_group_application_assignment_changes.toml │ │ ├── privileged_access_ml_okta_spike_in_group_lifecycle_changes.toml │ │ ├── privileged_access_ml_okta_spike_in_group_membership_changes.toml │ │ ├── privileged_access_ml_okta_spike_in_group_privilege_changes.toml │ │ ├── privileged_access_ml_okta_spike_in_user_lifecycle_management_changes.toml │ │ ├── privileged_access_ml_windows_high_count_group_management_events.toml │ │ ├── privileged_access_ml_windows_high_count_special_logon_events.toml │ │ ├── privileged_access_ml_windows_high_count_special_privilege_use_events.toml │ │ ├── privileged_access_ml_windows_high_count_user_account_management_events.toml │ │ ├── privileged_access_ml_windows_rare_device_by_user.toml │ │ ├── privileged_access_ml_windows_rare_group_name_by_user.toml │ │ ├── privileged_access_ml_windows_rare_privilege_assigned_to_user.toml │ │ ├── privileged_access_ml_windows_rare_region_name_by_user.toml │ │ └── privileged_access_ml_windows_rare_source_ip_by_user.toml │ └── problemchild │ │ ├── defense_evasion_ml_rare_process_for_a_host.toml │ │ ├── defense_evasion_ml_rare_process_for_a_parent_process.toml │ │ ├── defense_evasion_ml_rare_process_for_a_user.toml │ │ ├── defense_evasion_ml_suspicious_windows_event_high_probability.toml │ │ ├── defense_evasion_ml_suspicious_windows_event_low_probability.toml │ │ ├── defense_evasion_ml_suspicious_windows_process_cluster_from_host.toml │ │ ├── defense_evasion_ml_suspicious_windows_process_cluster_from_parent_process.toml │ │ └── defense_evasion_ml_suspicious_windows_process_cluster_from_user.toml ├── linux │ ├── collection_linux_clipboard_activity.toml │ ├── command_and_control_aws_cli_endpoint_url_used.toml │ ├── command_and_control_cat_network_activity.toml │ ├── command_and_control_cupsd_foomatic_rip_netcon.toml │ ├── command_and_control_curl_socks_proxy_detected.toml │ ├── command_and_control_frequent_egress_netcon_from_sus_executable.toml │ ├── command_and_control_git_repo_or_file_download_to_sus_dir.toml │ ├── command_and_control_ip_forwarding_activity.toml │ ├── command_and_control_linux_chisel_client_activity.toml │ ├── command_and_control_linux_chisel_server_activity.toml │ ├── command_and_control_linux_kworker_netcon.toml │ ├── command_and_control_linux_proxychains_activity.toml │ ├── command_and_control_linux_ssh_x11_forwarding.toml │ ├── command_and_control_linux_suspicious_proxychains_activity.toml │ ├── command_and_control_linux_tunneling_and_port_forwarding.toml │ ├── command_and_control_linux_tunneling_via_ssh_option.toml │ ├── command_and_control_suspicious_network_activity_from_unknown_executable.toml │ ├── command_and_control_telegram_api_request.toml │ ├── command_and_control_tunneling_via_earthworm.toml │ ├── credential_access_aws_creds_search_inside_container.toml │ ├── credential_access_collection_sensitive_files.toml │ ├── credential_access_collection_sensitive_files_compression_inside_container.toml │ ├── credential_access_credential_dumping.toml │ ├── credential_access_gdb_init_process_hooking.toml │ ├── credential_access_gdb_process_hooking.toml │ ├── credential_access_manual_memory_dumping.toml │ ├── credential_access_potential_linux_local_account_bruteforce.toml │ ├── credential_access_potential_linux_ssh_bruteforce_external.toml │ ├── credential_access_potential_linux_ssh_bruteforce_internal.toml │ ├── credential_access_potential_successful_linux_ftp_bruteforce.toml │ ├── credential_access_potential_successful_linux_rdp_bruteforce.toml │ ├── credential_access_potential_successful_linux_ssh_bruteforce.toml │ ├── credential_access_proc_credential_dumping.toml │ ├── credential_access_sensitive_keys_or_passwords_search_inside_container.toml │ ├── credential_access_ssh_backdoor_log.toml │ ├── credential_access_unusual_instance_metadata_service_api_request.toml │ ├── defense_evasion_acl_modification_via_setfacl.toml │ ├── defense_evasion_attempt_to_disable_auditd_service.toml │ ├── defense_evasion_attempt_to_disable_iptables_or_firewall.toml │ ├── defense_evasion_attempt_to_disable_syslog_service.toml │ ├── defense_evasion_authorized_keys_file_deletion.toml │ ├── defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml │ ├── defense_evasion_base64_decoding_activity.toml │ ├── defense_evasion_binary_copied_to_suspicious_directory.toml │ ├── defense_evasion_chattr_immutable_file.toml │ ├── defense_evasion_clear_kernel_ring_buffer.toml │ ├── defense_evasion_creation_of_hidden_files_directories.toml │ ├── defense_evasion_directory_creation_in_bin.toml │ ├── defense_evasion_disable_apparmor_attempt.toml │ ├── defense_evasion_disable_selinux_attempt.toml │ ├── defense_evasion_doas_configuration_creation_or_rename.toml │ ├── defense_evasion_dynamic_linker_file_creation.toml │ ├── defense_evasion_esxi_suspicious_timestomp_touch.toml │ ├── defense_evasion_file_deletion_via_shred.toml │ ├── defense_evasion_file_mod_writable_dir.toml │ ├── defense_evasion_hex_payload_execution_via_commandline.toml │ ├── defense_evasion_hex_payload_execution_via_utility.toml │ ├── defense_evasion_hidden_directory_creation.toml │ ├── defense_evasion_hidden_file_dir_tmp.toml │ ├── defense_evasion_hidden_shared_object.toml │ ├── defense_evasion_interactive_shell_from_system_user.toml │ ├── defense_evasion_interpreter_launched_from_decoded_payload.toml │ ├── defense_evasion_kernel_module_removal.toml │ ├── defense_evasion_kill_command_executed.toml │ ├── defense_evasion_kthreadd_masquerading.toml │ ├── defense_evasion_ld_preload_cmdline.toml │ ├── defense_evasion_ld_so_creation.toml │ ├── defense_evasion_log_files_deleted.toml │ ├── defense_evasion_mount_execution.toml │ ├── defense_evasion_potential_proot_exploits.toml │ ├── defense_evasion_prctl_process_name_tampering.toml │ ├── defense_evasion_rename_esxi_files.toml │ ├── defense_evasion_rename_esxi_index_file.toml │ ├── defense_evasion_root_certificate_installation.toml │ ├── defense_evasion_selinux_configuration_creation_or_renaming.toml │ ├── defense_evasion_ssl_certificate_deletion.toml │ ├── defense_evasion_sus_utility_executed_via_tmux_or_screen.toml │ ├── defense_evasion_suspicious_path_mounted.toml │ ├── defense_evasion_symlink_binary_to_writable_dir.toml │ ├── defense_evasion_sysctl_kernel_feature_activity.toml │ ├── defense_evasion_unusual_preload_env_vars.toml │ ├── defense_evasion_var_log_file_creation_by_unsual_process.toml │ ├── discovery_docker_socket_discovery.toml │ ├── discovery_dynamic_linker_via_od.toml │ ├── discovery_esxi_software_via_find.toml │ ├── discovery_esxi_software_via_grep.toml │ ├── discovery_kernel_module_enumeration.toml │ ├── discovery_kernel_seeking.toml │ ├── discovery_kernel_unpacking.toml │ ├── discovery_linux_hping_activity.toml │ ├── discovery_linux_nping_activity.toml │ ├── discovery_manual_mount_discovery_via_exports_or_fstab.toml │ ├── discovery_pam_version_discovery.toml │ ├── discovery_ping_sweep_detected.toml │ ├── discovery_polkit_version_discovery.toml │ ├── discovery_port_scanning_activity_from_compromised_host.toml │ ├── discovery_private_key_password_searching_activity.toml │ ├── discovery_proc_maps_read.toml │ ├── discovery_process_capabilities.toml │ ├── discovery_pspy_process_monitoring_detected.toml │ ├── discovery_security_file_access_via_common_utility.toml │ ├── discovery_subnet_scanning_activity_from_compromised_host.toml │ ├── discovery_sudo_allowed_command_enumeration.toml │ ├── discovery_suid_sguid_enumeration.toml │ ├── discovery_suspicious_memory_grep_activity.toml │ ├── discovery_suspicious_network_tool_launched_inside_container.toml │ ├── discovery_suspicious_which_command_execution.toml │ ├── discovery_unusual_user_enumeration_via_id.toml │ ├── discovery_virtual_machine_fingerprinting.toml │ ├── discovery_yum_dnf_plugin_detection.toml │ ├── execution_abnormal_process_id_file_created.toml │ ├── execution_container_management_binary_launched_inside_container.toml │ ├── execution_cupsd_foomatic_rip_file_creation.toml │ ├── execution_cupsd_foomatic_rip_lp_user_execution.toml │ ├── execution_cupsd_foomatic_rip_shell_execution.toml │ ├── execution_cupsd_foomatic_rip_suspicious_child_execution.toml │ ├── execution_curl_cve_2023_38545_heap_overflow.toml │ ├── execution_egress_connection_from_entrypoint_in_container.toml │ ├── execution_executable_stack_execution.toml │ ├── execution_file_execution_followed_by_deletion.toml │ ├── execution_file_made_executable_via_chmod_inside_container.toml │ ├── execution_file_transfer_or_listener_established_via_netcat.toml │ ├── execution_interpreter_tty_upgrade.toml │ ├── execution_nc_listener_via_rlwrap.toml │ ├── execution_netcon_from_rwx_mem_region_binary.toml │ ├── execution_network_event_post_compilation.toml │ ├── execution_perl_tty_shell.toml │ ├── execution_potential_hack_tool_executed.toml │ ├── execution_potentially_overly_permissive_container_creation.toml │ ├── execution_process_backgrounded_by_unusual_parent.toml │ ├── execution_process_started_from_process_id_file.toml │ ├── execution_process_started_in_shared_memory_directory.toml │ ├── execution_python_tty_shell.toml │ ├── execution_python_webserver_spawned.toml │ ├── execution_remote_code_execution_via_postgresql.toml │ ├── execution_shell_evasion_linux_binary.toml │ ├── execution_shell_openssl_client_or_server.toml │ ├── execution_shell_via_background_process.toml │ ├── execution_shell_via_child_tcp_utility_linux.toml │ ├── execution_shell_via_java_revshell_linux.toml │ ├── execution_shell_via_lolbin_interpreter_linux.toml │ ├── execution_shell_via_meterpreter_linux.toml │ ├── execution_shell_via_suspicious_binary.toml │ ├── execution_shell_via_tcp_cli_utility_linux.toml │ ├── execution_shell_via_udp_cli_utility_linux.toml │ ├── execution_sus_extraction_or_decrompression_via_funzip.toml │ ├── execution_suspicious_executable_running_system_commands.toml │ ├── execution_suspicious_mining_process_creation_events.toml │ ├── execution_suspicious_mkfifo_execution.toml │ ├── execution_system_binary_file_permission_change.toml │ ├── execution_tc_bpf_filter.toml │ ├── execution_unix_socket_communication.toml │ ├── execution_unknown_rwx_mem_region_binary_executed.toml │ ├── execution_unusual_interactive_process_inside_container.toml │ ├── execution_unusual_kthreadd_execution.toml │ ├── execution_unusual_path_invocation_from_command_line.toml │ ├── execution_unusual_pkexec_execution.toml │ ├── exfiltration_potential_curl_data_exfiltration.toml │ ├── exfiltration_potential_data_splitting_for_exfiltration.toml │ ├── exfiltration_unusual_file_transfer_utility_launched.toml │ ├── impact_data_encrypted_via_openssl.toml │ ├── impact_esxi_process_kill.toml │ ├── impact_memory_swap_modification.toml │ ├── impact_potential_bruteforce_malware_infection.toml │ ├── impact_potential_linux_ransomware_note_detected.toml │ ├── impact_process_kill_threshold.toml │ ├── initial_access_first_time_public_key_authentication.toml │ ├── initial_access_successful_ssh_authentication_by_unusual_ip.toml │ ├── initial_access_successful_ssh_authentication_by_unusual_user.toml │ ├── lateral_movement_remote_file_creation_world_writeable_dir.toml │ ├── lateral_movement_ssh_it_worm_download.toml │ ├── lateral_movement_ssh_process_launched_inside_container.toml │ ├── lateral_movement_telnet_network_activity_external.toml │ ├── lateral_movement_telnet_network_activity_internal.toml │ ├── lateral_movement_unusual_remote_file_creation.toml │ ├── persistence_apt_package_manager_execution.toml │ ├── persistence_apt_package_manager_file_creation.toml │ ├── persistence_apt_package_manager_netcon.toml │ ├── persistence_at_job_creation.toml │ ├── persistence_boot_file_copy.toml │ ├── persistence_bpf_probe_write_user.toml │ ├── persistence_chkconfig_service_add.toml │ ├── persistence_credential_access_modify_ssh_binaries.toml │ ├── persistence_cron_job_creation.toml │ ├── persistence_dbus_service_creation.toml │ ├── persistence_dbus_unsual_daemon_parent_execution.toml │ ├── persistence_dnf_package_manager_plugin_file_creation.toml │ ├── persistence_dpkg_package_installation_from_unusual_parent.toml │ ├── persistence_dpkg_unusual_execution.toml │ ├── persistence_dracut_module_creation.toml │ ├── persistence_dynamic_linker_backup.toml │ ├── persistence_etc_file_creation.toml │ ├── persistence_extract_initramfs_via_cpio.toml │ ├── persistence_git_hook_execution.toml │ ├── persistence_git_hook_file_creation.toml │ ├── persistence_git_hook_netcon.toml │ ├── persistence_git_hook_process_execution.toml │ ├── persistence_grub_configuration_creation.toml │ ├── persistence_grub_makeconfig.toml │ ├── persistence_init_d_file_creation.toml │ ├── persistence_insmod_kernel_module_load.toml │ ├── persistence_kde_autostart_modification.toml │ ├── persistence_kernel_driver_load.toml │ ├── persistence_kernel_driver_load_by_non_root.toml │ ├── persistence_kernel_object_file_creation.toml │ ├── persistence_kworker_file_creation.toml │ ├── persistence_linux_backdoor_user_creation.toml │ ├── persistence_linux_group_creation.toml │ ├── persistence_linux_shell_activity_via_web_server.toml │ ├── persistence_linux_user_account_creation.toml │ ├── persistence_linux_user_added_to_privileged_group.toml │ ├── persistence_lkm_configuration_file_creation.toml │ ├── persistence_manual_dracut_execution.toml │ ├── persistence_message_of_the_day_creation.toml │ ├── persistence_message_of_the_day_execution.toml │ ├── persistence_network_manager_dispatcher_persistence.toml │ ├── persistence_openssl_passwd_hash_generation.toml │ ├── persistence_pluggable_authentication_module_creation.toml │ ├── persistence_pluggable_authentication_module_creation_in_unusual_dir.toml │ ├── persistence_pluggable_authentication_module_pam_exec_backdoor_exec.toml │ ├── persistence_pluggable_authentication_module_source_download.toml │ ├── persistence_polkit_policy_creation.toml │ ├── persistence_potential_persistence_script_executable_bit_set.toml │ ├── persistence_process_capability_set_via_setcap.toml │ ├── persistence_pth_file_creation.toml │ ├── persistence_rc_local_error_via_syslog.toml │ ├── persistence_rc_local_service_already_running.toml │ ├── persistence_rc_script_creation.toml │ ├── persistence_rpm_package_installation_from_unusual_parent.toml │ ├── persistence_setuid_setgid_capability_set.toml │ ├── persistence_shadow_file_modification.toml │ ├── persistence_shared_object_creation.toml │ ├── persistence_shell_configuration_modification.toml │ ├── persistence_simple_web_server_connection_accepted.toml │ ├── persistence_simple_web_server_creation.toml │ ├── persistence_site_and_user_customize_file_creation.toml │ ├── persistence_ssh_key_generation.toml │ ├── persistence_ssh_netcon.toml │ ├── persistence_ssh_via_backdoored_system_user.toml │ ├── persistence_suspicious_file_opened_through_editor.toml │ ├── persistence_suspicious_ssh_execution_xzbackdoor.toml │ ├── persistence_systemd_generator_creation.toml │ ├── persistence_systemd_netcon.toml │ ├── persistence_systemd_scheduled_timer_created.toml │ ├── persistence_systemd_service_creation.toml │ ├── persistence_systemd_service_started.toml │ ├── persistence_systemd_shell_execution.toml │ ├── persistence_tainted_kernel_module_load.toml │ ├── persistence_tainted_kernel_module_out_of_tree_load.toml │ ├── persistence_udev_rule_creation.toml │ ├── persistence_unpack_initramfs_via_unmkinitramfs.toml │ ├── persistence_unusual_exim4_child_process.toml │ ├── persistence_unusual_pam_grantor.toml │ ├── persistence_unusual_sshd_child_process.toml │ ├── persistence_user_credential_modification_via_echo.toml │ ├── persistence_user_or_group_creation_or_modification.toml │ ├── persistence_web_server_sus_child_spawned.toml │ ├── persistence_web_server_sus_command_execution.toml │ ├── persistence_web_server_sus_destination_port.toml │ ├── persistence_xdg_autostart_netcon.toml │ ├── persistence_yum_package_manager_plugin_file_creation.toml │ ├── privilege_escalation_chown_chmod_unauthorized_file_read.toml │ ├── privilege_escalation_container_util_misconfiguration.toml │ ├── privilege_escalation_dac_permissions.toml │ ├── privilege_escalation_debugfs_launched_inside_container.toml │ ├── privilege_escalation_docker_escape_via_nsenter.toml │ ├── privilege_escalation_docker_mount_chroot_container_escape.toml │ ├── privilege_escalation_docker_release_file_creation.toml │ ├── privilege_escalation_enlightenment_window_manager.toml │ ├── privilege_escalation_gdb_sys_ptrace_elevation.toml │ ├── privilege_escalation_gdb_sys_ptrace_netcon.toml │ ├── privilege_escalation_kworker_uid_elevation.toml │ ├── privilege_escalation_ld_preload_shared_object_modif.toml │ ├── privilege_escalation_linux_suspicious_symbolic_link.toml │ ├── privilege_escalation_linux_uid_int_max_bug.toml │ ├── privilege_escalation_load_and_unload_of_kernel_via_kexec.toml │ ├── privilege_escalation_looney_tunables_cve_2023_4911.toml │ ├── privilege_escalation_mount_launched_inside_container.toml │ ├── privilege_escalation_netcon_via_sudo_binary.toml │ ├── privilege_escalation_overlayfs_local_privesc.toml │ ├── privilege_escalation_pkexec_envar_hijack.toml │ ├── privilege_escalation_potential_bufferoverflow_attack.toml │ ├── privilege_escalation_potential_suid_sgid_exploitation.toml │ ├── privilege_escalation_potential_wildcard_shell_spawn.toml │ ├── privilege_escalation_sda_disk_mount_non_root.toml │ ├── privilege_escalation_shadow_file_read.toml │ ├── privilege_escalation_sudo_cve_2019_14287.toml │ ├── privilege_escalation_sudo_hijacking.toml │ ├── privilege_escalation_sudo_token_via_process_injection.toml │ ├── privilege_escalation_suspicious_cap_setuid_python_execution.toml │ ├── privilege_escalation_suspicious_chown_fowner_elevation.toml │ ├── privilege_escalation_suspicious_passwd_file_write.toml │ ├── privilege_escalation_suspicious_uid_guid_elevation.toml │ ├── privilege_escalation_uid_change_post_compilation.toml │ ├── privilege_escalation_uid_elevation_from_unknown_executable.toml │ ├── privilege_escalation_unshare_namespace_manipulation.toml │ └── privilege_escalation_writable_docker_socket.toml ├── macos │ ├── command_and_control_unusual_connection_to_suspicious_top_level_domain.toml │ ├── command_and_control_unusual_network_connection_to_suspicious_web_service.toml │ ├── credential_access_credentials_keychains.toml │ ├── credential_access_dumping_hashes_bi_cmds.toml │ ├── credential_access_dumping_keychain_security.toml │ ├── credential_access_high_volume_of_pbpaste.toml │ ├── credential_access_kerberosdump_kcc.toml │ ├── credential_access_keychain_pwd_retrieval_security_cmd.toml │ ├── credential_access_mitm_localhost_webproxy.toml │ ├── credential_access_potential_macos_ssh_bruteforce.toml │ ├── credential_access_promt_for_pwd_via_osascript.toml │ ├── credential_access_suspicious_web_browser_sensitive_file_access.toml │ ├── credential_access_systemkey_dumping.toml │ ├── defense_evasion_apple_softupdates_modification.toml │ ├── defense_evasion_attempt_del_quarantine_attrib.toml │ ├── defense_evasion_attempt_to_disable_gatekeeper.toml │ ├── defense_evasion_install_root_certificate.toml │ ├── defense_evasion_modify_environment_launchctl.toml │ ├── defense_evasion_privacy_controls_tcc_database_modification.toml │ ├── defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml │ ├── defense_evasion_safari_config_change.toml │ ├── defense_evasion_sandboxed_office_app_suspicious_zip_file.toml │ ├── defense_evasion_tcc_bypass_mounted_apfs_access.toml │ ├── defense_evasion_unload_endpointsecurity_kext.toml │ ├── discovery_users_domain_built_in_commands.toml │ ├── execution_defense_evasion_electron_app_childproc_node_js.toml │ ├── execution_initial_access_suspicious_browser_childproc.toml │ ├── execution_installer_package_spawned_network_event.toml │ ├── execution_script_via_automator_workflows.toml │ ├── execution_scripting_osascript_exec_followed_by_netcon.toml │ ├── execution_shell_execution_via_apple_scripting.toml │ ├── initial_access_suspicious_mac_ms_office_child_process.toml │ ├── lateral_movement_credential_access_kerberos_bifrostconsole.toml │ ├── lateral_movement_mounting_smb_share.toml │ ├── lateral_movement_remote_ssh_login_enabled.toml │ ├── lateral_movement_vpn_connection_attempt.toml │ ├── persistence_account_creation_hide_at_logon.toml │ ├── persistence_creation_change_launch_agents_file.toml │ ├── persistence_creation_hidden_login_item_osascript.toml │ ├── persistence_creation_modif_launch_deamon_sequence.toml │ ├── persistence_credential_access_authorization_plugin_creation.toml │ ├── persistence_crontab_creation.toml │ ├── persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml │ ├── persistence_directory_services_plugins_modification.toml │ ├── persistence_docker_shortcuts_plist_modification.toml │ ├── persistence_emond_rules_file_creation.toml │ ├── persistence_emond_rules_process_execution.toml │ ├── persistence_enable_root_account.toml │ ├── persistence_evasion_hidden_launch_agent_deamon_creation.toml │ ├── persistence_finder_sync_plugin_pluginkit.toml │ ├── persistence_folder_action_scripts_runtime.toml │ ├── persistence_login_logout_hooks_defaults.toml │ ├── persistence_loginwindow_plist_modification.toml │ ├── persistence_modification_sublime_app_plugin_or_script.toml │ ├── persistence_periodic_tasks_file_mdofiy.toml │ ├── persistence_screensaver_engine_unexpected_child_process.toml │ ├── persistence_screensaver_plist_file_modification.toml │ ├── persistence_suspicious_calendar_modification.toml │ ├── persistence_via_atom_init_file_modification.toml │ ├── privilege_escalation_applescript_with_admin_privs.toml │ ├── privilege_escalation_explicit_creds_via_scripting.toml │ ├── privilege_escalation_exploit_adobe_acrobat_updater.toml │ ├── privilege_escalation_local_user_added_to_admin.toml │ ├── privilege_escalation_root_crontab_filemod.toml │ └── privilege_escalation_user_added_to_admin_group.toml ├── ml │ ├── command_and_control_ml_packetbeat_dns_tunneling.toml │ ├── command_and_control_ml_packetbeat_rare_dns_question.toml │ ├── command_and_control_ml_packetbeat_rare_urls.toml │ ├── command_and_control_ml_packetbeat_rare_user_agent.toml │ ├── credential_access_ml_auth_spike_in_failed_logon_events.toml │ ├── credential_access_ml_auth_spike_in_logon_events.toml │ ├── credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml │ ├── credential_access_ml_linux_anomalous_metadata_process.toml │ ├── credential_access_ml_linux_anomalous_metadata_user.toml │ ├── credential_access_ml_suspicious_login_activity.toml │ ├── credential_access_ml_windows_anomalous_metadata_process.toml │ ├── credential_access_ml_windows_anomalous_metadata_user.toml │ ├── discovery_ml_linux_system_information_discovery.toml │ ├── discovery_ml_linux_system_network_configuration_discovery.toml │ ├── discovery_ml_linux_system_network_connection_discovery.toml │ ├── discovery_ml_linux_system_process_discovery.toml │ ├── discovery_ml_linux_system_user_discovery.toml │ ├── execution_ml_windows_anomalous_script.toml │ ├── initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml │ ├── initial_access_ml_auth_rare_source_ip_for_a_user.toml │ ├── initial_access_ml_auth_rare_user_logon.toml │ ├── initial_access_ml_linux_anomalous_user_name.toml │ ├── initial_access_ml_windows_anomalous_user_name.toml │ ├── initial_access_ml_windows_rare_user_type10_remote_login.toml │ ├── ml_high_count_events_for_a_host_name.toml │ ├── ml_high_count_network_denies.toml │ ├── ml_high_count_network_events.toml │ ├── ml_linux_anomalous_network_activity.toml │ ├── ml_linux_anomalous_network_port_activity.toml │ ├── ml_low_count_events_for_a_host_name.toml │ ├── ml_packetbeat_rare_server_domain.toml │ ├── ml_rare_destination_country.toml │ ├── ml_spike_in_traffic_to_a_country.toml │ ├── ml_windows_anomalous_network_activity.toml │ ├── persistence_ml_linux_anomalous_process_all_hosts.toml │ ├── persistence_ml_rare_process_by_host_linux.toml │ ├── persistence_ml_rare_process_by_host_windows.toml │ ├── persistence_ml_windows_anomalous_path_activity.toml │ ├── persistence_ml_windows_anomalous_process_all_hosts.toml │ ├── persistence_ml_windows_anomalous_process_creation.toml │ ├── persistence_ml_windows_anomalous_service.toml │ ├── privilege_escalation_ml_linux_anomalous_sudo_activity.toml │ ├── privilege_escalation_ml_windows_rare_user_runas_event.toml │ └── resource_development_ml_linux_anomalous_compiler_activity.toml ├── network │ ├── command_and_control_accepted_default_telnet_port_connection.toml │ ├── command_and_control_cobalt_strike_beacon.toml │ ├── command_and_control_cobalt_strike_default_teamserver_cert.toml │ ├── command_and_control_download_rar_powershell_from_internet.toml │ ├── command_and_control_fin7_c2_behavior.toml │ ├── command_and_control_halfbaked_beacon.toml │ ├── command_and_control_nat_traversal_port_activity.toml │ ├── command_and_control_port_26_activity.toml │ ├── command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml │ ├── command_and_control_vnc_virtual_network_computing_from_the_internet.toml │ ├── command_and_control_vnc_virtual_network_computing_to_the_internet.toml │ ├── discovery_potential_network_sweep_detected.toml │ ├── discovery_potential_port_scan_detected.toml │ ├── discovery_potential_syn_port_scan_detected.toml │ ├── initial_access_rpc_remote_procedure_call_from_the_internet.toml │ ├── initial_access_rpc_remote_procedure_call_to_the_internet.toml │ ├── initial_access_smb_windows_file_sharing_activity_to_the_internet.toml │ ├── initial_access_unsecure_elasticsearch_node.toml │ └── lateral_movement_dns_server_overflow.toml ├── promotions │ ├── credential_access_endgame_cred_dumping_detected.toml │ ├── credential_access_endgame_cred_dumping_prevented.toml │ ├── endgame_adversary_behavior_detected.toml │ ├── endgame_malware_detected.toml │ ├── endgame_malware_prevented.toml │ ├── endgame_ransomware_detected.toml │ ├── endgame_ransomware_prevented.toml │ ├── execution_endgame_exploit_detected.toml │ ├── execution_endgame_exploit_prevented.toml │ ├── external_alerts.toml │ ├── privilege_escalation_endgame_cred_manipulation_detected.toml │ ├── privilege_escalation_endgame_cred_manipulation_prevented.toml │ ├── privilege_escalation_endgame_permission_theft_detected.toml │ ├── privilege_escalation_endgame_permission_theft_prevented.toml │ ├── privilege_escalation_endgame_process_injection_detected.toml │ └── privilege_escalation_endgame_process_injection_prevented.toml ├── threat_intel │ ├── threat_intel_indicator_match_address.toml │ ├── threat_intel_indicator_match_email.toml │ ├── threat_intel_indicator_match_hash.toml │ ├── threat_intel_indicator_match_registry.toml │ ├── threat_intel_indicator_match_url.toml │ └── threat_intel_rapid7_threat_command.toml └── windows │ ├── collection_email_outlook_mailbox_via_com.toml │ ├── collection_email_powershell_exchange_mailbox.toml │ ├── collection_mailbox_export_winlog.toml │ ├── collection_posh_audio_capture.toml │ ├── collection_posh_clipboard_capture.toml │ ├── collection_posh_keylogger.toml │ ├── collection_posh_mailbox.toml │ ├── collection_posh_screen_grabber.toml │ ├── collection_posh_webcam_video_capture.toml │ ├── collection_winrar_encryption.toml │ ├── command_and_control_certreq_postdata.toml │ ├── command_and_control_common_webservices.toml │ ├── command_and_control_dns_tunneling_nslookup.toml │ ├── command_and_control_encrypted_channel_freesslcert.toml │ ├── command_and_control_headless_browser.toml │ ├── command_and_control_iexplore_via_com.toml │ ├── command_and_control_ingress_transfer_bits.toml │ ├── command_and_control_new_terms_commonly_abused_rat_execution.toml │ ├── command_and_control_outlook_home_page.toml │ ├── command_and_control_port_forwarding_added_registry.toml │ ├── command_and_control_rdp_tunnel_plink.toml │ ├── command_and_control_remote_file_copy_desktopimgdownldr.toml │ ├── command_and_control_remote_file_copy_mpcmdrun.toml │ ├── command_and_control_remote_file_copy_powershell.toml │ ├── command_and_control_remote_file_copy_scripts.toml │ ├── command_and_control_screenconnect_childproc.toml │ ├── command_and_control_sunburst_c2_activity_detected.toml │ ├── command_and_control_teamviewer_remote_file_copy.toml │ ├── command_and_control_tool_transfer_via_curl.toml │ ├── command_and_control_tunnel_vscode.toml │ ├── credential_access_adidns_wildcard.toml │ ├── credential_access_adidns_wpad_record.toml │ ├── credential_access_bruteforce_admin_account.toml │ ├── credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml │ ├── credential_access_bruteforce_multiple_logon_failure_same_srcip.toml │ ├── credential_access_cmdline_dump_tool.toml │ ├── credential_access_copy_ntds_sam_volshadowcp_cmdline.toml │ ├── credential_access_credential_dumping_msbuild.toml │ ├── credential_access_dcsync_newterm_subjectuser.toml │ ├── credential_access_dcsync_replication_rights.toml │ ├── credential_access_dcsync_user_backdoor.toml │ ├── credential_access_disable_kerberos_preauth.toml │ ├── credential_access_dnsnode_creation.toml │ ├── credential_access_dollar_account_relay.toml │ ├── credential_access_domain_backup_dpapi_private_keys.toml │ ├── credential_access_dump_registry_hives.toml │ ├── credential_access_generic_localdumps.toml │ ├── credential_access_iis_connectionstrings_dumping.toml │ ├── credential_access_imageload_azureadconnectauthsvc.toml │ ├── credential_access_kerberoasting_unusual_process.toml │ ├── credential_access_kirbi_file.toml │ ├── credential_access_ldap_attributes.toml │ ├── credential_access_lsass_handle_via_malseclogon.toml │ ├── credential_access_lsass_loaded_susp_dll.toml │ ├── credential_access_lsass_memdump_file_created.toml │ ├── credential_access_lsass_memdump_handle_access.toml │ ├── credential_access_lsass_openprocess_api.toml │ ├── credential_access_mimikatz_memssp_default_logs.toml │ ├── credential_access_mimikatz_powershell_module.toml │ ├── credential_access_mod_wdigest_security_provider.toml │ ├── credential_access_moving_registry_hive_via_smb.toml │ ├── credential_access_persistence_network_logon_provider_modification.toml │ ├── credential_access_posh_invoke_ninjacopy.toml │ ├── credential_access_posh_kerb_ticket_dump.toml │ ├── credential_access_posh_minidump.toml │ ├── credential_access_posh_relay_tools.toml │ ├── credential_access_posh_request_ticket.toml │ ├── credential_access_posh_veeam_sql.toml │ ├── credential_access_potential_lsa_memdump_via_mirrordump.toml │ ├── credential_access_rare_webdav_destination.toml │ ├── credential_access_regback_sam_security_hives.toml │ ├── credential_access_relay_ntlm_auth_via_http_spoolss.toml │ ├── credential_access_remote_sam_secretsdump.toml │ ├── credential_access_saved_creds_vault_winlog.toml │ ├── credential_access_saved_creds_vaultcmd.toml │ ├── credential_access_seenabledelegationprivilege_assigned_to_user.toml │ ├── credential_access_shadow_credentials.toml │ ├── credential_access_spn_attribute_modified.toml │ ├── credential_access_suspicious_comsvcs_imageload.toml │ ├── credential_access_suspicious_lsass_access_generic.toml │ ├── credential_access_suspicious_lsass_access_memdump.toml │ ├── credential_access_suspicious_lsass_access_via_snapshot.toml │ ├── credential_access_suspicious_winreg_access_via_sebackup_priv.toml │ ├── credential_access_symbolic_link_to_shadow_copy_created.toml │ ├── credential_access_veeam_backup_dll_imageload.toml │ ├── credential_access_veeam_commands.toml │ ├── credential_access_via_snapshot_lsass_clone_creation.toml │ ├── credential_access_wbadmin_ntds.toml │ ├── credential_access_wireless_creds_dumping.toml │ ├── defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml │ ├── defense_evasion_amsi_bypass_dllhijack.toml │ ├── defense_evasion_amsi_bypass_powershell.toml │ ├── defense_evasion_amsienable_key_mod.toml │ ├── defense_evasion_audit_policy_disabled_winlog.toml │ ├── defense_evasion_clearing_windows_console_history.toml │ ├── defense_evasion_clearing_windows_event_logs.toml │ ├── defense_evasion_clearing_windows_security_logs.toml │ ├── defense_evasion_code_signing_policy_modification_builtin_tools.toml │ ├── defense_evasion_code_signing_policy_modification_registry.toml │ ├── defense_evasion_communication_apps_suspicious_child_process.toml │ ├── defense_evasion_create_mod_root_certificate.toml │ ├── defense_evasion_cve_2020_0601.toml │ ├── defense_evasion_defender_disabled_via_registry.toml │ ├── defense_evasion_defender_exclusion_via_powershell.toml │ ├── defense_evasion_delete_volume_usn_journal_with_fsutil.toml │ ├── defense_evasion_disable_nla.toml │ ├── defense_evasion_disable_posh_scriptblocklogging.toml │ ├── defense_evasion_disable_windows_firewall_rules_with_netsh.toml │ ├── defense_evasion_disabling_windows_defender_powershell.toml │ ├── defense_evasion_disabling_windows_logs.toml │ ├── defense_evasion_dns_over_https_enabled.toml │ ├── defense_evasion_dotnet_compiler_parent_process.toml │ ├── defense_evasion_enable_inbound_rdp_with_netsh.toml │ ├── defense_evasion_enable_network_discovery_with_netsh.toml │ ├── defense_evasion_execution_control_panel_suspicious_args.toml │ ├── defense_evasion_execution_lolbas_wuauclt.toml │ ├── defense_evasion_execution_msbuild_started_by_office_app.toml │ ├── defense_evasion_execution_msbuild_started_by_script.toml │ ├── defense_evasion_execution_msbuild_started_by_system_process.toml │ ├── defense_evasion_execution_msbuild_started_renamed.toml │ ├── defense_evasion_execution_msbuild_started_unusal_process.toml │ ├── defense_evasion_execution_suspicious_explorer_winword.toml │ ├── defense_evasion_execution_windefend_unusual_path.toml │ ├── defense_evasion_file_creation_mult_extension.toml │ ├── defense_evasion_from_unusual_directory.toml │ ├── defense_evasion_hide_encoded_executable_registry.toml │ ├── defense_evasion_iis_httplogging_disabled.toml │ ├── defense_evasion_indirect_exec_forfiles.toml │ ├── defense_evasion_injection_msbuild.toml │ ├── defense_evasion_installutil_beacon.toml │ ├── defense_evasion_lolbas_win_cdb_utility.toml │ ├── defense_evasion_lsass_ppl_disabled_registry.toml │ ├── defense_evasion_masquerading_as_elastic_endpoint_process.toml │ ├── defense_evasion_masquerading_business_apps_installer.toml │ ├── defense_evasion_masquerading_communication_apps.toml │ ├── defense_evasion_masquerading_renamed_autoit.toml │ ├── defense_evasion_masquerading_suspicious_werfault_childproc.toml │ ├── defense_evasion_masquerading_trusted_directory.toml │ ├── defense_evasion_masquerading_werfault.toml │ ├── defense_evasion_microsoft_defender_tampering.toml │ ├── defense_evasion_misc_lolbin_connecting_to_the_internet.toml │ ├── defense_evasion_ms_office_suspicious_regmod.toml │ ├── defense_evasion_msbuild_making_network_connections.toml │ ├── defense_evasion_mshta_beacon.toml │ ├── defense_evasion_msiexec_child_proc_netcon.toml │ ├── defense_evasion_msxsl_network.toml │ ├── defense_evasion_network_connection_from_windows_binary.toml │ ├── defense_evasion_ntlm_downgrade.toml │ ├── defense_evasion_parent_process_pid_spoofing.toml │ ├── defense_evasion_persistence_account_tokenfilterpolicy.toml │ ├── defense_evasion_posh_assembly_load.toml │ ├── defense_evasion_posh_compressed.toml │ ├── defense_evasion_posh_encryption.toml │ ├── defense_evasion_posh_obfuscation.toml │ ├── defense_evasion_posh_obfuscation_backtick.toml │ ├── defense_evasion_posh_obfuscation_backtick_var.toml │ ├── defense_evasion_posh_obfuscation_char_arrays.toml │ ├── defense_evasion_posh_obfuscation_concat_dynamic.toml │ ├── defense_evasion_posh_obfuscation_high_number_proportion.toml │ ├── defense_evasion_posh_obfuscation_iex_env_vars_reconstruction.toml │ ├── defense_evasion_posh_obfuscation_iex_string_reconstruction.toml │ ├── defense_evasion_posh_obfuscation_index_reversal.toml │ ├── defense_evasion_posh_obfuscation_reverse_keyword.toml │ ├── defense_evasion_posh_obfuscation_string_concat.toml │ ├── defense_evasion_posh_obfuscation_string_format.toml │ ├── defense_evasion_posh_obfuscation_whitespace_special_proportion.toml │ ├── defense_evasion_posh_process_injection.toml │ ├── defense_evasion_powershell_windows_firewall_disabled.toml │ ├── defense_evasion_process_termination_followed_by_deletion.toml │ ├── defense_evasion_proxy_execution_via_msdt.toml │ ├── defense_evasion_reg_disable_enableglobalqueryblocklist.toml │ ├── defense_evasion_regmod_remotemonologue.toml │ ├── defense_evasion_right_to_left_override.toml │ ├── defense_evasion_root_dir_ads_creation.toml │ ├── defense_evasion_run_virt_windowssandbox.toml │ ├── defense_evasion_rundll32_no_arguments.toml │ ├── defense_evasion_sc_sdset.toml │ ├── defense_evasion_sccm_scnotification_dll.toml │ ├── defense_evasion_scheduledjobs_at_protocol_enabled.toml │ ├── defense_evasion_script_via_html_app.toml │ ├── defense_evasion_sdelete_like_filename_rename.toml │ ├── defense_evasion_sip_provider_mod.toml │ ├── defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml │ ├── defense_evasion_suspicious_certutil_commands.toml │ ├── defense_evasion_suspicious_execution_from_mounted_device.toml │ ├── defense_evasion_suspicious_managedcode_host_process.toml │ ├── defense_evasion_suspicious_process_access_direct_syscall.toml │ ├── defense_evasion_suspicious_process_creation_calltrace.toml │ ├── defense_evasion_suspicious_scrobj_load.toml │ ├── defense_evasion_suspicious_short_program_name.toml │ ├── defense_evasion_suspicious_wmi_script.toml │ ├── defense_evasion_suspicious_zoom_child_process.toml │ ├── defense_evasion_system_critical_proc_abnormal_file_activity.toml │ ├── defense_evasion_timestomp_sysmon.toml │ ├── defense_evasion_unsigned_dll_loaded_from_suspdir.toml │ ├── defense_evasion_untrusted_driver_loaded.toml │ ├── defense_evasion_unusual_ads_file_creation.toml │ ├── defense_evasion_unusual_dir_ads.toml │ ├── defense_evasion_unusual_network_connection_via_dllhost.toml │ ├── defense_evasion_unusual_network_connection_via_rundll32.toml │ ├── defense_evasion_unusual_process_network_connection.toml │ ├── defense_evasion_unusual_system_vp_child_program.toml │ ├── defense_evasion_via_filter_manager.toml │ ├── defense_evasion_wdac_policy_by_unusual_process.toml │ ├── defense_evasion_windows_filtering_platform.toml │ ├── defense_evasion_workfolders_control_execution.toml │ ├── defense_evasion_wsl_bash_exec.toml │ ├── defense_evasion_wsl_child_process.toml │ ├── defense_evasion_wsl_enabled_via_dism.toml │ ├── defense_evasion_wsl_filesystem.toml │ ├── defense_evasion_wsl_kalilinux.toml │ ├── defense_evasion_wsl_registry_modification.toml │ ├── discovery_active_directory_webservice.toml │ ├── discovery_adfind_command_activity.toml │ ├── discovery_admin_recon.toml │ ├── discovery_command_system_account.toml │ ├── discovery_enumerating_domain_trusts_via_dsquery.toml │ ├── discovery_enumerating_domain_trusts_via_nltest.toml │ ├── discovery_group_policy_object_discovery.toml │ ├── discovery_high_number_ad_properties.toml │ ├── discovery_peripheral_device.toml │ ├── discovery_posh_invoke_sharefinder.toml │ ├── discovery_posh_suspicious_api_functions.toml │ ├── discovery_privileged_localgroup_membership.toml │ ├── discovery_signal_unusual_discovery_signal_proc_cmdline.toml │ ├── discovery_signal_unusual_discovery_signal_proc_executable.toml │ ├── discovery_whoami_command_activity.toml │ ├── execution_apt_solarwinds_backdoor_child_cmd_powershell.toml │ ├── execution_apt_solarwinds_backdoor_unusual_child_processes.toml │ ├── execution_com_object_xwizard.toml │ ├── execution_command_prompt_connecting_to_the_internet.toml │ ├── execution_command_shell_started_by_svchost.toml │ ├── execution_command_shell_started_by_unusual_process.toml │ ├── execution_command_shell_via_rundll32.toml │ ├── execution_delayed_via_ping_lolbas_unsigned.toml │ ├── execution_downloaded_shortcut_files.toml │ ├── execution_downloaded_url_file.toml │ ├── execution_enumeration_via_wmiprvse.toml │ ├── execution_from_unusual_path_cmdline.toml │ ├── execution_html_help_executable_program_connecting_to_the_internet.toml │ ├── execution_initial_access_foxmail_exploit.toml │ ├── execution_initial_access_via_msc_file.toml │ ├── execution_initial_access_wps_dll_exploit.toml │ ├── execution_mofcomp.toml │ ├── execution_ms_office_written_file.toml │ ├── execution_pdf_written_file.toml │ ├── execution_posh_hacktool_authors.toml │ ├── execution_posh_hacktool_functions.toml │ ├── execution_posh_malicious_script_agg.toml │ ├── execution_posh_portable_executable.toml │ ├── execution_posh_psreflect.toml │ ├── execution_powershell_susp_args_via_winscript.toml │ ├── execution_psexec_lateral_movement_command.toml │ ├── execution_register_server_program_connecting_to_the_internet.toml │ ├── execution_scheduled_task_powershell_source.toml │ ├── execution_shared_modules_local_sxs_dll.toml │ ├── execution_suspicious_cmd_wmi.toml │ ├── execution_suspicious_image_load_wmi_ms_office.toml │ ├── execution_suspicious_pdf_reader.toml │ ├── execution_suspicious_powershell_imgload.toml │ ├── execution_suspicious_psexesvc.toml │ ├── execution_via_compiled_html_file.toml │ ├── execution_via_hidden_shell_conhost.toml │ ├── execution_via_mmc_console_file_unusual_path.toml │ ├── execution_windows_cmd_shell_susp_args.toml │ ├── execution_windows_powershell_susp_args.toml │ ├── execution_windows_script_from_internet.toml │ ├── exfiltration_smb_rare_destination.toml │ ├── impact_backup_file_deletion.toml │ ├── impact_deleting_backup_catalogs_with_wbadmin.toml │ ├── impact_high_freq_file_renames_by_kernel.toml │ ├── impact_modification_of_boot_config.toml │ ├── impact_ransomware_file_rename_smb.toml │ ├── impact_ransomware_note_file_over_smb.toml │ ├── impact_stop_process_service_threshold.toml │ ├── impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml │ ├── impact_volume_shadow_copy_deletion_via_powershell.toml │ ├── impact_volume_shadow_copy_deletion_via_wmic.toml │ ├── initial_access_evasion_suspicious_htm_file_creation.toml │ ├── initial_access_execution_from_inetcache.toml │ ├── initial_access_execution_from_removable_media.toml │ ├── initial_access_execution_remote_via_msiexec.toml │ ├── initial_access_execution_via_office_addins.toml │ ├── initial_access_exfiltration_first_time_seen_usb.toml │ ├── initial_access_exploit_jetbrains_teamcity.toml │ ├── initial_access_rdp_file_mail_attachment.toml │ ├── initial_access_script_executing_powershell.toml │ ├── initial_access_scripts_process_started_via_wmi.toml │ ├── initial_access_suspicious_ms_exchange_files.toml │ ├── initial_access_suspicious_ms_exchange_process.toml │ ├── initial_access_suspicious_ms_exchange_worker_child_process.toml │ ├── initial_access_suspicious_ms_office_child_process.toml │ ├── initial_access_suspicious_ms_outlook_child_process.toml │ ├── initial_access_via_explorer_suspicious_child_parent_args.toml │ ├── initial_access_webshell_screenconnect_server.toml │ ├── initial_access_xsl_script_execution_via_com.toml │ ├── lateral_movement_alternate_creds_pth.toml │ ├── lateral_movement_cmd_service.toml │ ├── lateral_movement_dcom_hta.toml │ ├── lateral_movement_dcom_mmc20.toml │ ├── lateral_movement_dcom_shellwindow_shellbrowserwindow.toml │ ├── lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml │ ├── lateral_movement_direct_outbound_smb_connection.toml │ ├── lateral_movement_evasion_rdp_shadowing.toml │ ├── lateral_movement_executable_tool_transfer_smb.toml │ ├── lateral_movement_execution_from_tsclient_mup.toml │ ├── lateral_movement_execution_via_file_shares_sequence.toml │ ├── lateral_movement_incoming_winrm_shell_execution.toml │ ├── lateral_movement_incoming_wmi.toml │ ├── lateral_movement_mount_hidden_or_webdav_share_net.toml │ ├── lateral_movement_powershell_remoting_target.toml │ ├── lateral_movement_rdp_enabled_registry.toml │ ├── lateral_movement_rdp_sharprdp_target.toml │ ├── lateral_movement_remote_file_copy_hidden_share.toml │ ├── lateral_movement_remote_service_installed_winlog.toml │ ├── lateral_movement_remote_services.toml │ ├── lateral_movement_remote_task_creation_winlog.toml │ ├── lateral_movement_scheduled_task_target.toml │ ├── lateral_movement_suspicious_rdp_client_imageload.toml │ ├── lateral_movement_unusual_dns_service_children.toml │ ├── lateral_movement_unusual_dns_service_file_writes.toml │ ├── lateral_movement_via_startup_folder_rdp_smb.toml │ ├── lateral_movement_via_wsus_update.toml │ ├── persistence_ad_adminsdholder.toml │ ├── persistence_adobe_hijack_persistence.toml │ ├── persistence_app_compat_shim.toml │ ├── persistence_appcertdlls_registry.toml │ ├── persistence_appinitdlls_registry.toml │ ├── persistence_browser_extension_install.toml │ ├── persistence_dontexpirepasswd_account.toml │ ├── persistence_evasion_hidden_local_account_creation.toml │ ├── persistence_evasion_registry_ifeo_injection.toml │ ├── persistence_evasion_registry_startup_shell_folder_modified.toml │ ├── persistence_group_modification_by_system.toml │ ├── persistence_local_scheduled_job_creation.toml │ ├── persistence_local_scheduled_task_creation.toml │ ├── persistence_local_scheduled_task_scripting.toml │ ├── persistence_ms_office_addins_file.toml │ ├── persistence_ms_outlook_vba_template.toml │ ├── persistence_msds_alloweddelegateto_krbtgt.toml │ ├── persistence_msi_installer_task_startup.toml │ ├── persistence_msoffice_startup_registry.toml │ ├── persistence_netsh_helper_dll.toml │ ├── persistence_powershell_exch_mailbox_activesync_add_device.toml │ ├── persistence_powershell_profiles.toml │ ├── persistence_priv_escalation_via_accessibility_features.toml │ ├── persistence_registry_uncommon.toml │ ├── persistence_remote_password_reset.toml │ ├── persistence_run_key_and_startup_broad.toml │ ├── persistence_runtime_run_key_startup_susp_procs.toml │ ├── persistence_scheduled_task_creation_winlog.toml │ ├── persistence_scheduled_task_updated.toml │ ├── persistence_sdprop_exclusion_dsheuristics.toml │ ├── persistence_service_dll_unsigned.toml │ ├── persistence_service_windows_service_winlog.toml │ ├── persistence_services_registry.toml │ ├── persistence_startup_folder_file_written_by_suspicious_process.toml │ ├── persistence_startup_folder_file_written_by_unsigned_process.toml │ ├── persistence_startup_folder_scripts.toml │ ├── persistence_suspicious_com_hijack_registry.toml │ ├── persistence_suspicious_image_load_scheduled_task_ms_office.toml │ ├── persistence_suspicious_scheduled_task_runtime.toml │ ├── persistence_suspicious_service_created_registry.toml │ ├── persistence_sysmon_wmi_event_subscription.toml │ ├── persistence_system_shells_via_services.toml │ ├── persistence_temp_scheduled_task.toml │ ├── persistence_time_provider_mod.toml │ ├── persistence_user_account_added_to_privileged_group_ad.toml │ ├── persistence_user_account_creation.toml │ ├── persistence_user_account_creation_event_logs.toml │ ├── persistence_via_application_shimming.toml │ ├── persistence_via_bits_job_notify_command.toml │ ├── persistence_via_hidden_run_key_valuename.toml │ ├── persistence_via_lsa_security_support_provider_registry.toml │ ├── persistence_via_telemetrycontroller_scheduledtask_hijack.toml │ ├── persistence_via_update_orchestrator_service_hijack.toml │ ├── persistence_via_windows_management_instrumentation_event_subscription.toml │ ├── persistence_via_wmi_stdregprov_run_services.toml │ ├── persistence_via_xp_cmdshell_mssql_stored_procedure.toml │ ├── persistence_webshell_detection.toml │ ├── persistence_werfault_reflectdebugger.toml │ ├── privilege_escalation_badsuccessor_dmsa_abuse.toml │ ├── privilege_escalation_create_process_as_different_user.toml │ ├── privilege_escalation_create_process_with_token_unpriv.toml │ ├── privilege_escalation_credroaming_ldap.toml │ ├── privilege_escalation_disable_uac_registry.toml │ ├── privilege_escalation_dmsa_creation_by_unusual_user.toml │ ├── privilege_escalation_dns_serverlevelplugindll.toml │ ├── privilege_escalation_driver_newterm_imphash.toml │ ├── privilege_escalation_expired_driver_loaded.toml │ ├── privilege_escalation_exploit_cve_202238028.toml │ ├── privilege_escalation_gpo_schtask_service_creation.toml │ ├── privilege_escalation_group_policy_iniscript.toml │ ├── privilege_escalation_group_policy_privileged_groups.toml │ ├── privilege_escalation_group_policy_scheduled_task.toml │ ├── privilege_escalation_installertakeover.toml │ ├── privilege_escalation_krbrelayup_service_creation.toml │ ├── privilege_escalation_lsa_auth_package.toml │ ├── privilege_escalation_make_token_local.toml │ ├── privilege_escalation_msi_repair_via_mshelp_link.toml │ ├── privilege_escalation_named_pipe_impersonation.toml │ ├── privilege_escalation_newcreds_logon_rare_process.toml │ ├── privilege_escalation_persistence_phantom_dll.toml │ ├── privilege_escalation_port_monitor_print_pocessor_abuse.toml │ ├── privilege_escalation_posh_token_impersonation.toml │ ├── privilege_escalation_printspooler_registry_copyfiles.toml │ ├── privilege_escalation_printspooler_service_suspicious_file.toml │ ├── privilege_escalation_printspooler_suspicious_file_deletion.toml │ ├── privilege_escalation_printspooler_suspicious_spl_file.toml │ ├── privilege_escalation_reg_service_imagepath_mod.toml │ ├── privilege_escalation_rogue_windir_environment_var.toml │ ├── privilege_escalation_samaccountname_spoofing_attack.toml │ ├── privilege_escalation_service_control_spawned_script_int.toml │ ├── privilege_escalation_suspicious_dnshostname_update.toml │ ├── privilege_escalation_tokenmanip_sedebugpriv_enabled.toml │ ├── privilege_escalation_uac_bypass_com_clipup.toml │ ├── privilege_escalation_uac_bypass_com_ieinstal.toml │ ├── privilege_escalation_uac_bypass_com_interface_icmluautil.toml │ ├── privilege_escalation_uac_bypass_diskcleanup_hijack.toml │ ├── privilege_escalation_uac_bypass_dll_sideloading.toml │ ├── privilege_escalation_uac_bypass_event_viewer.toml │ ├── privilege_escalation_uac_bypass_mock_windir.toml │ ├── privilege_escalation_uac_bypass_winfw_mmc_hijack.toml │ ├── privilege_escalation_unquoted_service_path.toml │ ├── privilege_escalation_unusual_parentchild_relationship.toml │ ├── privilege_escalation_unusual_printspooler_childprocess.toml │ ├── privilege_escalation_unusual_svchost_childproc_childless.toml │ ├── privilege_escalation_via_ppid_spoofing.toml │ ├── privilege_escalation_via_rogue_named_pipe.toml │ ├── privilege_escalation_via_token_theft.toml │ ├── privilege_escalation_windows_service_via_unusual_client.toml │ └── privilege_escalation_wpad_exploitation.toml ├── rules_building_block ├── .gitkeep ├── collection_archive_data_zip_imageload.toml ├── collection_common_compressed_archived_file.toml ├── collection_files_staged_in_recycle_bin_root.toml ├── collection_outlook_email_archive.toml ├── collection_posh_compression.toml ├── command_and_control_bitsadmin_activity.toml ├── command_and_control_certutil_network_connection.toml ├── command_and_control_non_standard_http_port.toml ├── credential_access_iis_apppoolsa_pwd_appcmd.toml ├── credential_access_mdmp_file_creation.toml ├── credential_access_mdmp_file_unusual_extension.toml ├── credential_access_win_private_key_access.toml ├── defense_evasion_aws_rds_snapshot_created.toml ├── defense_evasion_cmd_copy_binary_contents.toml ├── defense_evasion_cmstp_execution.toml ├── defense_evasion_collection_masquerading_unusual_archive_file_extension.toml ├── defense_evasion_dll_hijack.toml ├── defense_evasion_dotnet_clickonce_dfsvc_netcon.toml ├── defense_evasion_download_susp_extension.toml ├── defense_evasion_execution_via_visualstudio_prebuildevent.toml ├── defense_evasion_file_permission_modification.toml ├── defense_evasion_generic_deletion.toml ├── defense_evasion_indirect_command_exec_pcalua_forfiles.toml ├── defense_evasion_injection_from_msoffice.toml ├── defense_evasion_installutil_command_activity.toml ├── defense_evasion_invalid_codesign_imageload.toml ├── defense_evasion_masquerading_browsers.toml ├── defense_evasion_masquerading_unusual_exe_file_extension.toml ├── defense_evasion_masquerading_vlc_dll.toml ├── defense_evasion_masquerading_windows_dll.toml ├── defense_evasion_masquerading_windows_system32_exe.toml ├── defense_evasion_msdt_suspicious_diagcab.toml ├── defense_evasion_msiexec_installsource_archive_file.toml ├── defense_evasion_outlook_suspicious_child.toml ├── defense_evasion_posh_defender_tampering.toml ├── defense_evasion_posh_obfuscation_proportion_special_chars.toml ├── defense_evasion_powershell_clear_logs_script.toml ├── defense_evasion_processes_with_trailing_spaces.toml ├── defense_evasion_service_disabled_registry.toml ├── defense_evasion_service_path_registry.toml ├── defense_evasion_services_exe_path.toml ├── defense_evasion_suspicious_msiexec_execution.toml ├── defense_evasion_unsigned_bits_client.toml ├── defense_evasion_unusual_process_extension.toml ├── defense_evasion_unusual_process_path_wbem.toml ├── defense_evasion_write_dac_access.toml ├── discovery_capnetraw_capability.toml ├── discovery_files_dir_systeminfo_via_cmd.toml ├── discovery_generic_account_groups.toml ├── discovery_generic_process_discovery.toml ├── discovery_generic_registry_query.toml ├── discovery_getconf_execution.toml ├── discovery_hosts_file_access.toml ├── discovery_internet_capabilities.toml ├── discovery_kernel_module_enumeration_via_proc.toml ├── discovery_linux_modprobe_enumeration.toml ├── discovery_linux_sysctl_enumeration.toml ├── discovery_linux_system_information_discovery.toml ├── discovery_linux_system_owner_user_discovery.toml ├── discovery_net_share_discovery_winlog.toml ├── discovery_net_view.toml ├── discovery_of_accounts_or_groups_via_builtin_tools.toml ├── discovery_of_domain_groups.toml ├── discovery_posh_generic.toml ├── discovery_posh_password_policy.toml ├── discovery_post_exploitation_external_ip_lookup.toml ├── discovery_potential_memory_seeking_activity.toml ├── discovery_process_discovery_via_builtin_tools.toml ├── discovery_remote_system_discovery_commands_windows.toml ├── discovery_security_software_wmic.toml ├── discovery_signal_unusual_user_host.toml ├── discovery_suspicious_proc_enumeration.toml ├── discovery_system_network_connections.toml ├── discovery_system_service_discovery.toml ├── discovery_system_time_discovery.toml ├── discovery_win_network_connections.toml ├── discovery_windows_system_information_discovery.toml ├── entra_id_identity_protection_risk_detections.toml ├── execution_aws_lambda_function_updated.toml ├── execution_github_new_event_action_for_pat.toml ├── execution_github_new_repo_interaction_for_pat.toml ├── execution_github_new_repo_interaction_for_user.toml ├── execution_github_repo_created.toml ├── execution_github_repo_interaction_from_new_ip.toml ├── execution_linux_segfault.toml ├── execution_settingcontent_ms_file_creation.toml ├── execution_unsigned_service_executable.toml ├── execution_wmi_wbemtest.toml ├── impact_github_member_removed_from_organization.toml ├── impact_github_pat_access_revoked.toml ├── impact_github_user_blocked_from_organization.toml ├── initial_access_github_new_ip_address_for_pat.toml ├── initial_access_github_new_ip_address_for_user.toml ├── initial_access_github_new_user_agent_for_pat.toml ├── initial_access_github_new_user_agent_for_user.toml ├── lateral_movement_at.toml ├── lateral_movement_posh_winrm_activity.toml ├── lateral_movement_rdp_conn_unusual_process.toml ├── lateral_movement_unusual_process_sql_accounts.toml ├── lateral_movement_wmic_remote.toml ├── persistence_aws_iam_login_profile_added_to_user.toml ├── persistence_cap_sys_admin_added_to_new_binary.toml ├── persistence_creation_of_kernel_module.toml ├── persistence_github_new_pat_for_user.toml ├── persistence_github_new_user_added_to_organization.toml ├── persistence_iam_instance_request_to_iam_service.toml ├── persistence_startup_folder_lnk.toml ├── persistence_transport_agent_exchange.toml ├── persistence_web_server_sus_file_creation.toml └── privilege_escalation_trap_execution.toml └── tests ├── __init__.py ├── base.py ├── data ├── __init__.py └── command_control_dummy_production_rule.toml ├── kuery ├── __init__.py ├── test_dsl.py ├── test_eql2kql.py ├── test_evaluator.py ├── test_kql2eql.py ├── test_lint.py └── test_parser.py ├── test_all_rules.py ├── test_gh_workflows.py ├── test_hunt_data.py ├── test_packages.py ├── test_python_library.py ├── test_rules_remote.py ├── test_schemas.py ├── test_specific_rules.py ├── test_toml_formatter.py ├── test_transform_fields.py ├── test_utils.py └── test_version_locking.py /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # detection-rules code owners 2 | # POC: Elastic Security Intelligence and Analytics Team 3 | 4 | tests/**/*.py @mikaayenson @eric-forte-elastic @terrancedejesus 5 | detection_rules/ @mikaayenson @eric-forte-elastic @terrancedejesus 6 | tests/ @mikaayenson @eric-forte-elastic @terrancedejesus 7 | lib/ @mikaayenson @eric-forte-elastic @terrancedejesus 8 | hunting/ @mikaayenson @eric-forte-elastic @terrancedejesus 9 | 10 | # skip rta-mapping to avoid the spam 11 | detection_rules/etc/packages.yaml @mikaayenson @eric-forte-elastic @terrancedejesus 12 | detection_rules/etc/*.json @mikaayenson @eric-forte-elastic @terrancedejesus 13 | detection_rules/etc/*.json @mikaayenson @eric-forte-elastic @terrancedejesus 14 | detection_rules/etc/*/* @mikaayenson @eric-forte-elastic @terrancedejesus 15 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/new_meta.yaml: -------------------------------------------------------------------------------- 1 | name: New Meta Issue 2 | description: Meta Template for Sprint work 3 | title: "[Meta] Name of Meta Issue" 4 | labels: ["Meta", "Team: TRADE"] 5 | assignees: [] 6 | projects: ["elastic/1268"] 7 | 8 | body: 9 | - type: input 10 | id: parent_epic 11 | attributes: 12 | label: Epic Link 13 | description: "Please link parent epic issue here if one exists and if not you can leave it blank." 14 | placeholder: "https://github.com/elastic/detection-rules/issues/1234" 15 | 16 | - type: textarea 17 | id: meta_summary 18 | attributes: 19 | label: Meta Summary 20 | description: Please provide a detailed explanation with what you are planning on doing, what you hope to accomplish and why this is important." 21 | placeholder: "Detailed explanation..." 22 | 23 | - type: input 24 | id: estimated_time 25 | attributes: 26 | label: Estimated Time to Complete 27 | description: "Provide an estimate of the time required to complete the tasks." 28 | placeholder: "e.g., 2 weeks" 29 | 30 | - type: textarea 31 | id: potential_blockers 32 | attributes: 33 | label: Potential Blockers 34 | description: "List any potential blockers that might impede progress." 35 | placeholder: "- Potential blockers..." 36 | 37 | - type: textarea 38 | attributes: 39 | label: Tasking 40 | value: "\n### Meta Tasks\n- [ ] Provide Week 1 Update Comment\n- [ ] Provide Week 2 Update or Closeout Comment\n" 41 | render: 42 | 43 | - type: textarea 44 | id: potential_references 45 | attributes: 46 | label: Potential References 47 | description: "List any references or resources used." 48 | placeholder: "- Reference url..." 49 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/rule_deprecation.yaml: -------------------------------------------------------------------------------- 1 | name: Rule Deprecation 2 | description: Recommendation to deprecate a rule 3 | title: "[Deprecation] Name of the rule" 4 | labels: ["Rule: Deprecation", "Team: TRADE"] 5 | assignees: [] 6 | projects: ["elastic/1268"] 7 | 8 | body: 9 | - type: input 10 | id: rule_link 11 | attributes: 12 | label: Link to Rule 13 | description: "Provide a link to the rule being recommended for deprecation." 14 | placeholder: "https://github.com/elastic/detection-rules/tree/main/rules/..." 15 | 16 | - type: textarea 17 | id: description 18 | attributes: 19 | label: Description 20 | description: "Provide a detailed description of why the rule should be deprecated." 21 | placeholder: "Detailed description..." 22 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/schema_feature_request.yaml: -------------------------------------------------------------------------------- 1 | name: Kibana schema update feature request 2 | description: 'Suggest a rule schema change related to Kibana schemas' 3 | title: "[FR] Update schemas to support " 4 | labels: ["schema", "python", "Team: TRADE"] 5 | assignees: [] 6 | projects: ["elastic/1268"] 7 | 8 | body: 9 | - type: input 10 | id: kibana_pr_link 11 | attributes: 12 | label: Link to Kibana PR 13 | description: "Provide a link to the Kibana PR with the relevant schema changes." 14 | placeholder: "https://github.com/elastic/kibana/pull/..." 15 | 16 | - type: textarea 17 | id: feature_description 18 | attributes: 19 | label: Feature Description 20 | description: "Which Kibana feature needs be supported within our schemas?" 21 | placeholder: "Describe the feature or provide a link..." 22 | 23 | - type: textarea 24 | id: desired_solution 25 | attributes: 26 | label: Desired Solution 27 | description: "A clear and concise description of what you want to happen." 28 | placeholder: "Describe the solution you want..." 29 | 30 | - type: textarea 31 | id: considered_alternatives 32 | attributes: 33 | label: Considered Alternatives 34 | description: "A clear and concise description of any alternative solutions or features you've considered." 35 | placeholder: "Describe any alternatives you've considered..." 36 | 37 | - type: textarea 38 | id: additional_context 39 | attributes: 40 | label: Additional Context 41 | description: "Add any other context, explanations, or screenshots about the feature request here." 42 | placeholder: "Additional context, explanations, or screenshots..." 43 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_GUIDELINES/rule_deprecation_guidelines.md: -------------------------------------------------------------------------------- 1 | ## Rule: Deprecation - Guidelines 2 | 3 | These guidelines serve as a reminder set of considerations when recommending the deprecation of a rule. 4 | 5 | ### Documentation and Context 6 | 7 | - [ ] Description of the reason for deprecation. 8 | - [ ] Include any context or historical data supporting the deprecation decision. 9 | 10 | ### Rule Metadata Checks 11 | 12 | - [ ] `deprecated = true` added to the rule metadata. 13 | - [ ] `updated_date` should be the date of the PR. 14 | 15 | ### Testing and Validation 16 | 17 | - [ ] A prior rule tuning occurred for the rule where `Deprecated - ` is prepended to the rule name, and the rule has already been released. 18 | - [ ] Rule has be moved to the `_deprecated` directory. 19 | - [ ] Double check gaps potentially or inadvertently introduced. 20 | - [ ] Provide evidence that the rule is no longer needed or has been replaced (e.g., alternative rules, updated detection methods). 21 | -------------------------------------------------------------------------------- /.github/release-drafter.yml: -------------------------------------------------------------------------------- 1 | name-template: 'dev-v$RESOLVED_VERSION' 2 | tag-template: 'dev-v$RESOLVED_VERSION' 3 | tag-prefix: 'dev-v' 4 | 5 | categories: 6 | - title: 🚀 Features 7 | label: 'enhancement' 8 | - title: 🐛 Bug Fixes 9 | label: 'bug' 10 | - title: 🛠 Internal Changes 11 | labels: 12 | - 'maintenance' 13 | - 'schema' 14 | - 'documentation' 15 | - 'python' 16 | - title: 🔍 Hunting Updates 17 | label: 'Hunting' 18 | 19 | change-template: '- $TITLE (#$NUMBER) @$AUTHOR' 20 | exclude-labels: 21 | - 'skip-changelog' 22 | 23 | version-resolver: 24 | major: 25 | labels: 26 | - 'major' 27 | minor: 28 | labels: 29 | - 'minor' 30 | patch: 31 | labels: 32 | - 'patch' 33 | default: patch 34 | 35 | template: | 36 | ## Changes 37 | $CHANGES 38 | -------------------------------------------------------------------------------- /.github/workflows/branch-status-checks.yml: -------------------------------------------------------------------------------- 1 | name: Branch Version Status Checks 2 | 3 | on: 4 | pull_request: 5 | branches: [ "*" ] 6 | 7 | jobs: 8 | get-branches: 9 | uses: ./.github/workflows/get-target-branches.yml 10 | 11 | branch-status-checks: 12 | needs: get-branches 13 | runs-on: ubuntu-latest 14 | strategy: 15 | matrix: 16 | target_branch: ${{ fromJSON(needs.get-branches.outputs.branches) }} 17 | 18 | steps: 19 | - name: Get Backport Status 20 | id: get_backport_status 21 | uses: fjogeleit/http-request-action@v1 22 | with: 23 | url: "https://api.github.com/repos/elastic/detection-rules/actions/workflows/pythonpackage.yml/runs?per_page=1&branch=${{matrix.target_branch}}" 24 | method: 'GET' 25 | bearerToken: ${{ secrets.READ_ELASTIC_DETECTION_RULES_ORG_TOKEN }} 26 | 27 | - name: Check Backport Status 28 | uses: actions/github-script@v6 29 | with: 30 | script: | 31 | const workflow_status = ${{ toJSON(fromJSON(steps.get_backport_status.outputs.response).workflow_runs[0].status) }} 32 | const workflow_conclusion = ${{ toJSON(fromJSON(steps.get_backport_status.outputs.response).workflow_runs[0].conclusion) }} 33 | if (workflow_status != 'completed' || 34 | workflow_conclusion != 'success') { 35 | core.setFailed('Recent Backport status: ' + workflow_status + ', conclusion: ' + workflow_conclusion) 36 | } 37 | -------------------------------------------------------------------------------- /.github/workflows/docs-build.yml: -------------------------------------------------------------------------------- 1 | name: docs-build 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | pull_request_target: ~ 8 | 9 | jobs: 10 | preview: 11 | uses: elastic/docs-builder/.github/workflows/preview-build.yml@main 12 | with: 13 | continue-on-error: false 14 | strict: true 15 | path-pattern: | 16 | docs/** 17 | rules/** 18 | rules_building_block/** 19 | permissions: 20 | deployments: write 21 | id-token: write 22 | contents: read 23 | pull-requests: read 24 | -------------------------------------------------------------------------------- /.github/workflows/docs-cleanup.yml: -------------------------------------------------------------------------------- 1 | name: docs-cleanup 2 | 3 | on: 4 | pull_request_target: 5 | types: 6 | - closed 7 | 8 | jobs: 9 | preview: 10 | uses: elastic/docs-builder/.github/workflows/preview-cleanup.yml@main 11 | permissions: 12 | contents: none 13 | id-token: write 14 | deployments: write 15 | -------------------------------------------------------------------------------- /.github/workflows/get-target-branches.yml: -------------------------------------------------------------------------------- 1 | name: List Target Branches 2 | 3 | on: 4 | workflow_call: 5 | # Map the workflow outputs to job outputs 6 | outputs: 7 | branches: 8 | description: "List of target branches" 9 | value: ${{ jobs.list-target-branches.outputs.matrix }} 10 | 11 | jobs: 12 | list-target-branches: 13 | runs-on: ubuntu-latest 14 | outputs: 15 | matrix: ${{ steps.get-branch-list.outputs.matrix }} 16 | steps: 17 | - uses: actions/checkout@v4 18 | 19 | - name: Set up Python 3.12 20 | uses: actions/setup-python@v5 21 | with: 22 | python-version: '3.12' 23 | 24 | - name: Install dependencies 25 | run: | 26 | python -m pip install --upgrade pip 27 | pip cache purge 28 | pip install .[dev] 29 | 30 | - id: get-branch-list 31 | run: | 32 | python -m detection_rules dev utils get-branches 33 | echo "::set-output name=matrix::$(cat ./detection_rules/etc/target-branches.yaml)" 34 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/.gitmodules -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | # See https://pre-commit.com for more information 2 | # See https://pre-commit.com/hooks.html for more hooks 3 | repos: 4 | - repo: https://github.com/PyCQA/flake8 5 | rev: 5.0.4 6 | hooks: 7 | - id: flake8 8 | args: ['--ignore=D203,C901,E501,W503', '--max-line-length=120','--max-complexity=10', '--statistics'] 9 | exclude: '^kql' 10 | - repo: https://github.com/PyCQA/bandit 11 | rev: 1.7.4 12 | hooks: 13 | - id: bandit 14 | args: ['-s', 'B101,B603,B404,B607'] 15 | exclude: '^kql' 16 | # Potential future rigor 17 | # - repo: https://github.com/PyCQA/pylint 18 | # rev: v2.15.6 19 | # hooks: 20 | # - id: pylint 21 | # language: system 22 | # exclude: '^kql' 23 | # - repo: https://github.com/PyCQA/isort 24 | # rev: 5.10.1 25 | # hooks: 26 | # - id: isort 27 | -------------------------------------------------------------------------------- /detection_rules/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | 6 | """Detection rules.""" 7 | 8 | import sys 9 | 10 | 11 | assert (3, 12) <= sys.version_info < (4, 0), "Only Python 3.12+ supported" 12 | 13 | from . import ( # noqa: E402 14 | custom_schemas, 15 | custom_rules, 16 | devtools, 17 | docs, 18 | eswrap, 19 | ghwrap, 20 | kbwrap, 21 | main, 22 | ml, 23 | misc, 24 | navigator, 25 | rule_formatter, 26 | rule_loader, 27 | schemas, 28 | utils 29 | ) 30 | 31 | __all__ = ( 32 | 'custom_rules', 33 | 'custom_schemas', 34 | 'devtools', 35 | 'docs', 36 | 'eswrap', 37 | 'ghwrap', 38 | 'kbwrap', 39 | "main", 40 | 'misc', 41 | 'ml', 42 | 'navigator', 43 | 'rule_formatter', 44 | 'rule_loader', 45 | 'schemas', 46 | 'utils' 47 | ) 48 | -------------------------------------------------------------------------------- /detection_rules/__main__.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | 6 | # coding=utf-8 7 | """Shell for detection-rules.""" 8 | import sys 9 | from pathlib import Path 10 | 11 | import click 12 | 13 | assert (3, 12) <= sys.version_info < (4, 0), "Only Python 3.12+ supported" 14 | 15 | 16 | from .main import root # noqa: E402 17 | 18 | CURR_DIR = Path(__file__).resolve().parent 19 | CLI_DIR = CURR_DIR.parent 20 | ROOT_DIR = CLI_DIR.parent 21 | 22 | BANNER = r""" 23 | █▀▀▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄▄▄ ▄ ▄ █▀▀▄ ▄ ▄ ▄ ▄▄▄ ▄▄▄ 24 | █ █ █▄▄ █ █▄▄ █ █ █ █ █ █▀▄ █ █▄▄▀ █ █ █ █▄▄ █▄▄ 25 | █▄▄▀ █▄▄ █ █▄▄ █▄▄ █ ▄█▄ █▄█ █ ▀▄█ █ ▀▄ █▄▄█ █▄▄ █▄▄ ▄▄█ 26 | """ 27 | 28 | 29 | def main(): 30 | """CLI entry point.""" 31 | click.echo(BANNER) 32 | root(prog_name="detection_rules") 33 | 34 | 35 | main() 36 | -------------------------------------------------------------------------------- /detection_rules/etc/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | -------------------------------------------------------------------------------- /detection_rules/etc/attack-v17.1.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/attack-v17.1.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/main.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/main.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.10.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.10.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.11.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.11.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.12.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.12.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.13.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.13.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.14.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.14.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.15.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.15.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.16.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.16.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.7.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.7.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.8.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.8.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v7.9.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v7.9.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.0.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.0.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.1.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.1.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.10.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.10.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.11.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.11.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.12.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.12.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.13.4.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.13.4.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.14.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.14.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.15.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.15.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.15.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.15.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.15.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.15.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.16.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.16.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.17.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.17.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.17.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.17.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.18.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.18.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.2.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.2.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.2.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.2.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.3.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.3.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.4.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.4.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.4.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.4.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.4.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.4.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.5.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.5.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.5.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.5.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.5.3.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.5.3.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.6.1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.6.1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.7.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.7.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.8.2.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.8.2.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v8.9.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v8.9.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v9.0.0-beta1.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v9.0.0-beta1.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/beats_schemas/v9.0.0.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/beats_schemas/v9.0.0.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/commit-and-push.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -x 3 | set -e 4 | 5 | echo "Switch to the target branch and keep the staged changes" 6 | TARGET_BRANCH=$1 7 | COMMIT_SHA=$2 8 | echo "Backporting from commit ${COMMIT_SHA} on branch ${TARGET_BRANCH}" 9 | 10 | echo "Checking out target branch" 11 | git checkout ${TARGET_BRANCH} 12 | 13 | NEEDS_BACKPORT=$(git diff HEAD --quiet --exit-code && echo n || echo y) 14 | 15 | if [ "n" = "$NEEDS_BACKPORT" ] 16 | then 17 | echo "No changes to backport" 18 | exit 0 19 | fi 20 | 21 | echo "Create the new commit with the same author" 22 | git commit --reuse-message ${COMMIT_SHA} 23 | 24 | echo "Save the commit message" 25 | git log ${COMMIT_SHA} --format=%B -n1 > $COMMIT_MSG_FILE 26 | 27 | echo "Append to the commit message" 28 | if [ -s "$UNSTAGED_LIST_FILE" ] 29 | then 30 | echo "Track note for the removed files" 31 | 32 | echo "" >> $COMMIT_MSG_FILE 33 | echo "Removed changes from:" >> $COMMIT_MSG_FILE 34 | awk '{print "- " $0}' $UNSTAGED_LIST_FILE >> $COMMIT_MSG_FILE 35 | echo "" >> $COMMIT_MSG_FILE 36 | echo '(selectively cherry picked from commit ${COMMIT_SHA})' >> $COMMIT_MSG_FILE 37 | else 38 | echo "No removed files" 39 | 40 | echo "" >> $COMMIT_MSG_FILE 41 | echo '(cherry picked from commit ${COMMIT_SHA})' >> $COMMIT_MSG_FILE 42 | fi 43 | 44 | echo "Amend the commit message and push" 45 | git commit --amend -F $COMMIT_MSG_FILE 46 | git push 47 | -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.0.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.0.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.0.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.0.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.1.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.1.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.1.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.1.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.10.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.10.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.11.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.11.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.12.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.12.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.12.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.12.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.12.2/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.12.2/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.2.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.2.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.2.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.2.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.3.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.3.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.3.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.3.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.3.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.3.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.3.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.3.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.4.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.4.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.4.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.4.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.5.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.5.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.6.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.6.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.7.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.7.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.8.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.8.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.9.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/1.9.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.0.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.0.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.0.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.0.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.1.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.1.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.10.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.10.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.11.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.11.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.16.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.16.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.17.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.17.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.2.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.2.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.2.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.2.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.3.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.3.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.3.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.3.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.4.0-rc1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.4.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.4.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.5.0-rc1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.5.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.5.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.5.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.5.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.5.2/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.5.2/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.6.0-rc1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.6.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.6.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.6.1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.6.1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.7.0-rc1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.7.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.7.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.8.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.8.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.9.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/8.9.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/9.0.0-rc1/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/9.0.0/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/9.0.0/ecs_nested.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/ecs_schemas/master_9.1.0-dev/ecs_flat.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/endgame_schemas/1.9.0/endgame_ecs_mapping.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/endgame_schemas/1.9.0/endgame_ecs_mapping.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/endgame_schemas/8.4.0/endgame_ecs_mapping.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/endgame_schemas/8.4.0/endgame_ecs_mapping.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/endpoint_schemas/endpoint_process.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/endpoint_schemas/endpoint_process.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/example_test_config.yaml: -------------------------------------------------------------------------------- 1 | 2 | # set the environment variable DETECTION_RULES_TEST_CONFIG 3 | 4 | # `bypass` and `test_only` are mutually exclusive and will cause an error if both are specified. 5 | # 6 | # tests can be defined by their full name or using glob-style patterns with the following notation 7 | # pattern:*rule* 8 | # the patterns are case sensitive 9 | 10 | unit_tests: 11 | # define tests to explicitly bypass, with all others being run 12 | # 13 | # to run all tests, set bypass to empty or leave this file commented out 14 | bypass: 15 | # - tests.test_all_rules.TestValidRules.test_schema_and_dupes 16 | # - tests.test_packages.TestRegistryPackage.test_registry_package_config 17 | # - tests.test_all_rules.TestRuleMetadata.test_event_dataset 18 | # - tests.test_all_rules.TestRuleMetadata.test_integration_tag 19 | # - tests.test_gh_workflows.TestWorkflows.test_matrix_to_lock_version_defaults 20 | # - pattern:*rule* 21 | # - pattern:*kuery* 22 | 23 | # define tests to explicitly run, with all others being bypassed 24 | # 25 | # to bypass all tests, set test_only to empty 26 | test_only: 27 | # - tests.test_all_rules.TestRuleMetadata.test_event_dataset 28 | # - pattern:*rule* 29 | 30 | 31 | # `bypass` and `test_only` are mutually exclusive and will cause an error if both are specified. 32 | # 33 | # both variables require a list of rule_ids 34 | rule_validation: 35 | 36 | bypass: 37 | # - "34fde489-94b0-4500-a76f-b8a157cf9269" 38 | 39 | 40 | test_only: 41 | # - "34fde489-94b0-4500-a76f-b8a157cf9269" 42 | -------------------------------------------------------------------------------- /detection_rules/etc/integration-manifests.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/integration-manifests.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/integration-schemas.json.gz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/detection_rules/etc/integration-schemas.json.gz -------------------------------------------------------------------------------- /detection_rules/etc/lock-multiple.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -x 3 | set -e 4 | 5 | CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD) 6 | 7 | # switch to 8 | for BRANCH in $(echo $@ | sed "s/,/ /g") 9 | do 10 | echo $BRANCH 11 | git checkout $BRANCH 12 | git pull 13 | python -m detection_rules dev build-release --update-version-lock 14 | done 15 | 16 | git checkout ${CURRENT_BRANCH} 17 | -------------------------------------------------------------------------------- /detection_rules/etc/packages.yaml: -------------------------------------------------------------------------------- 1 | package: 2 | filter: 3 | maturity: 4 | - production 5 | log_deprecated: true 6 | name: '9.1' 7 | registry_data: 8 | categories: 9 | - security 10 | conditions: 11 | elastic: 12 | capabilities: 13 | - security 14 | subscription: basic 15 | kibana.version: ^9.1.0 16 | description: Prebuilt detection rules for Elastic Security 17 | format_version: 3.0.0 18 | icons: 19 | - size: 16x16 20 | src: /img/security-logo-color-64px.svg 21 | type: image/svg+xml 22 | name: security_detection_engine 23 | owner: 24 | github: elastic/protections 25 | type: elastic 26 | source: 27 | license: Elastic-2.0 28 | title: Prebuilt Security Detection Rules 29 | type: integration 30 | version: 9.1.0-beta.1 31 | release: true 32 | -------------------------------------------------------------------------------- /detection_rules/etc/security-logo-color-64px.svg: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | security-logo-color-64px 5 | Created with Sketch. 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /detection_rules/etc/test_hunting_cli.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Path to the virtual environment 4 | VENV_PATH="./env/detection-rules-build" 5 | 6 | # Activate the virtual environment 7 | source "$VENV_PATH/bin/activate" 8 | 9 | echo "Running hunting CLI tests..." 10 | 11 | echo "Searching: Search for T1078.004 subtechnique in AWS data source" 12 | python -m hunting search --sub-technique T1078.004 --data-source aws 13 | 14 | echo "Refreshing index" 15 | python -m hunting refresh-index 16 | 17 | echo "Generating Markdown: initial_access_higher_than_average_failed_authentication.toml" 18 | python -m hunting generate-markdown /Users/tdejesus/code/src/detection-rules/hunting/okta/queries/initial_access_higher_than_average_failed_authentication.toml 19 | 20 | echo "Running Query: low_volume_external_network_connections_from_process.toml" 21 | echo "Requires .detection-rules-cfg.json credentials file set." 22 | python -m hunting run-query --file-path /Users/tdejesus/code/src/detection-rules/hunting/linux/queries/low_volume_external_network_connections_from_process.toml --all 23 | 24 | echo "Viewing Hunt: 12526f14-5e35-4f5f-884c-96c6a353a544" 25 | python -m hunting view-hunt --uuid 12526f14-5e35-4f5f-884c-96c6a353a544 --format json 26 | 27 | echo "Generating summary of hunts by integration" 28 | python -m hunting hunt-summary --breakdown integration 29 | 30 | echo "Generating summary of hunts by platform" 31 | python -m hunting hunt-summary --breakdown platform 32 | 33 | echo "Generating summary of hunts by language" 34 | python -m hunting hunt-summary --breakdown language 35 | -------------------------------------------------------------------------------- /detection_rules/etc/test_remote_cli.bash: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # Path to the virtual environment 4 | VENV_PATH="./env/detection-rules-build" 5 | 6 | # Activate the virtual environment 7 | source "$VENV_PATH/bin/activate" 8 | 9 | echo "Running detection-rules remote CLI tests..." 10 | 11 | echo "Performing a quick rule alerts search..." 12 | echo "Requires .detection-rules-cfg.json credentials file set." 13 | python -m detection_rules kibana search-alerts 14 | 15 | echo "Performing a rule export..." 16 | mkdir tmp-export 2>/dev/null 17 | python -m detection_rules kibana export-rules -d tmp-export -sv --skip-errors 18 | ls tmp-export 19 | echo "Removing generated files..." 20 | rm -rf tmp-export 21 | 22 | echo "Detection-rules CLI tests completed!" 23 | -------------------------------------------------------------------------------- /docs-dev/deprecating.md: -------------------------------------------------------------------------------- 1 | # Deprecating rules 2 | 3 | Rules that have been version locked (added to [version.lock.json](../detection_rules/etc/version.lock.json)), which also means they 4 | have been added to the detection engine in Kibana, must be properly [deprecated](#steps-to-properly-deprecate-a-rule). 5 | 6 | If a rule was never version locked (not yet pushed to Kibana or still in non-`production` `maturity`), the rule can 7 | simply be removed with no additional changes, or updated the `maturity = "development"`, which will leave it out of the 8 | release package to Kibana. 9 | 10 | 11 | ## Steps to properly deprecate a rule 12 | 13 | 1. Update the `maturity` to `deprecated` 14 | 2. Move the rule file to [rules/_deprecated](../rules/_deprecated) 15 | 3. Add `deprecation_date` and update `updated_date` to match 16 | 17 | Next time the versions are locked, the rule will be added to the [deprecated_rules.json](../detection_rules/etc/deprecated_rules.json) 18 | file. 19 | 20 | 21 | ### Using the deprecate-rule command 22 | 23 | Alternatively, you can run `python -m detection_rules dev deprecate-rule `, which will perform all the steps 24 | -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/experimental-detections.md: -------------------------------------------------------------------------------- 1 | 2 | # Experimental ML Jobs and Rules 3 | 4 | The ingest pipeline enriches process events by adding additional fields, which are used to power several rules. 5 | The experimental rules and jobs are staged separately from the model bundles under [releases](https://github.com/elastic/detection-rules/releases), with the tag `ML-experimental-detections-YYYMMDD-N`. New releases with this tag may contain either updates to existing rules or new experimental detections. 6 | 7 | Note that if a rule is of `type = "machine_learning"`, then it may be dependent on uploading and running a machine 8 | learning job first. If this is the case, it will likely be annotated within the `note` field of the rule. 9 | 10 | ### Uploading rules 11 | 12 | Unzip the release bundle and upload these rules individually. 13 | 14 | Rules are now stored in ndjson format and can be imported into Kibana via the security app detections page. 15 | 16 | Earlier releases stored the rules in toml format. These can be uploaded using the 17 | [7.12 branch](https://github.com/elastic/detection-rules/tree/7.12) CLI using the 18 | [kibana import-rules](../../CLI.md#uploading-rules-to-kibana) command 19 | 20 | -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/0a_host_risk_score_card.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/0a_host_risk_score_card.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/0b_alert_summary.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/0b_alert_summary.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/0c_host_page_risk_column.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/0c_host_page_risk_column.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/0d_host_page_hosts_by_risk_tab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/0d_host_page_hosts_by_risk_tab.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/0e_host_details_page_risk_overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/0e_host_details_page_risk_overview.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/0f_host_details_page_hosts_by_risk_tab.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/0f_host_details_page_hosts_by_risk_tab.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/1_create_deployment.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/1_create_deployment.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/2_edit_configuration.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/2_edit_configuration.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/3_edit_user_settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/3_edit_user_settings.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/4_add_flag.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/4_add_flag.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/5_save_settings.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/5_save_settings.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/images/6_confirm_activity_finished.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/docs-dev/experimental-machine-learning/images/6_confirm_activity_finished.png -------------------------------------------------------------------------------- /docs-dev/experimental-machine-learning/readme.md: -------------------------------------------------------------------------------- 1 | 2 | # Experimental machine learning 3 | 4 | This repo contains some additional information and files to use experimental[*](#what-does-experimental-mean-in-this-context) machine learning features and detections 5 | 6 | ## Features 7 | * [DGA](DGA.md) 8 | * [ProblemChild](problem-child.md) 9 | * [HostRiskScore](host-risk-score.md) 10 | * [URLSpoof](url-spoof.md) 11 | * [UserRiskScore](user-risk-score.md) 12 | * [experimental detections](experimental-detections.md) 13 | 14 | ## Releases 15 | 16 | There are separate [releases](https://github.com/elastic/detection-rules/releases) for: 17 | * DGA: `ML-DGA-*` 18 | * ProblemChild: `ML-ProblemChild-*` 19 | * Host Risk Score: `ML-HostRiskScore-*` 20 | * URL Spoof: `ML-URLSpoof-*` 21 | * experimental detections: `ML-experimental-detections-*` 22 | 23 | Releases will use the tag `ML-TYPE-YYYMMDD-N`, which will be needed for uploading the model using the CLI. 24 | 25 | 26 | ##### What does experimental mean in this context? 27 | 28 | Experimental model bundles (models, scripts, and pipelines), rules, and jobs are components which are currently in 29 | development and so may not have completed the testing or scrutiny which full production detections are subjected to. 30 | 31 | It may also make use of features which are not yet GA and so may be subject to change and are not covered by the support 32 | SLA of general release (GA) features. Some of these features may also never make it to GA. -------------------------------------------------------------------------------- /docs/docset.yml: -------------------------------------------------------------------------------- 1 | project: 'detection rules' 2 | cross_links: 3 | - docs-content 4 | exclude: 5 | - '_*.md' 6 | - 'README.md' 7 | 8 | extensions: 9 | - detection-rules 10 | 11 | toc: 12 | - file: index.md 13 | detection_rules: ['../rules', '../rules_building_block'] 14 | 15 | -------------------------------------------------------------------------------- /docs/index.md: -------------------------------------------------------------------------------- 1 | # Detection rules 2 | 3 | Landing / overview page 4 | -------------------------------------------------------------------------------- /hunting/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | -------------------------------------------------------------------------------- /hunting/aws/docs/ssm_sendcommand_api_used_by_ec2_instance.md: -------------------------------------------------------------------------------- 1 | # SSM SendCommand API Used by EC2 Instance 2 | 3 | --- 4 | 5 | ## Metadata 6 | 7 | - **Author:** Elastic 8 | - **Description:** An attacker with compromised EC2 instance credentials, may use those credentials to attempt remote code execution against the EC2 instance from which the credentials were compromised via SSM SendCommand API. 9 | 10 | - **UUID:** `38454a64-5b55-11ef-b345-f661ea17fbce` 11 | - **Integration:** [aws.cloudtrail](https://docs.elastic.co/integrations/aws/cloudtrail) 12 | - **Language:** `[ES|QL]` 13 | - **Source File:** [SSM SendCommand API Used by EC2 Instance](../queries/ssm_sendcommand_api_used_by_ec2_instance.toml) 14 | 15 | ## Query 16 | 17 | ```sql 18 | from logs-aws.cloudtrail-* 19 | | where @timestamp > now() - 7 day 20 | | where event.dataset == "aws.cloudtrail" 21 | and event.provider == "ssm.amazonaws.com" 22 | and aws.cloudtrail.user_identity.type == "AssumedRole" 23 | and event.action == "SendCommand" 24 | and user.id like "*:i-*" 25 | | keep @timestamp, event.provider, event.action, aws.cloudtrail.user_identity.type, user.id, aws.cloudtrail.request_parameters 26 | ``` 27 | 28 | ## Notes 29 | 30 | - The indicator that this is an EC2 instance assuming a role and performing the action, is the use of the instance id beginning with -i as the session name. 31 | - Session name is attached to the end of the `user.id` field and the `aws.cloudtrail.user_identity.arn`. 32 | 33 | ## MITRE ATT&CK Techniques 34 | 35 | - [T1651](https://attack.mitre.org/techniques/T1651) 36 | 37 | ## License 38 | 39 | - `Elastic License v2` 40 | -------------------------------------------------------------------------------- /hunting/aws/queries/ec2_modify_instance_attribute_user_data.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunting query identifies when a user modifies the user data attribute of an EC2 instance. The user data attribute is a script that runs when the instance is launched. Modifying the user data attribute could indicate an adversary attempting to gain persistence or execute malicious code on the instance. 5 | """ 6 | integration = ["aws.cloudtrail"] 7 | uuid = "f11ac62c-5f42-11ef-9d72-f661ea17fbce" 8 | name = "EC2 Modify Instance Attribute User Data" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Use the `instance_id` field to identify the EC2 instance for which the user data attribute was modified", 13 | "Pivot into the EC2 instance if possible and examine the user data script ('/var/lib/cloud/instance/scripts/userdata.txt') for malicious content", 14 | "To modify an EC2 instance's user data attribute, the instance must be stopped, therefore check for `StopInstances` API calls in `event.action` field to determine if the instance was stopped and started", 15 | "AWS redacts the value of the `user_data` attribute in the CloudTrail logs, so the actual script content will not be visible in the logs", 16 | ] 17 | mitre = ['T1059.009','T1037'] 18 | query = [''' 19 | from logs-aws.cloudtrail-* 20 | | where @timestamp > now() - 7 day 21 | | where 22 | event.provider == "ec2.amazonaws.com" 23 | and event.action == "ModifyInstanceAttribute" 24 | and aws.cloudtrail.request_parameters RLIKE ".*attribute=userData.*" 25 | | dissect aws.cloudtrail.request_parameters "{%{instance_id_key}=%{instance_id}, %{attribute_key}=%{attribute}, %{value_key}=%{value}}" 26 | | stats user_attribute_modify_count = count(*) by aws.cloudtrail.user_identity.arn, event.outcome 27 | '''] -------------------------------------------------------------------------------- /hunting/aws/queries/iam_user_activity_with_no_mfa_session.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunting query gathers data for evidence of an IAM user activity with no MFA session. This query identifies IAM user activity where the user is not MFA authenticated. Adversaries often target IAM users with weak or no MFA protection to gain unauthorized access to AWS resources after compromising the user's credentials via phishing, third-party breaches, or brute-forcing. 5 | """ 6 | integration = ["aws.cloudtrail"] 7 | uuid = "913a47be-649c-11ef-a693-f661ea17fbcc" 8 | name = "IAM User Activity with No MFA Session" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Review the `user_identity.arn` field to identify if activity is sourcing from a browser or programmatically via the AWS CLI or SDK.", 13 | "Review aggregated counts of API calls made for suspicious discovery or reconnaissance such as `List*`, `Describe*`, or `Get*` API calls.", 14 | ] 15 | mitre = ['T1078.004'] 16 | query = [''' 17 | from logs-aws.cloudtrail-* 18 | | where @timestamp > now() - 7 day 19 | | where event.dataset == "aws.cloudtrail" 20 | and aws.cloudtrail.user_identity.type == "IAMUser" 21 | and aws.cloudtrail.user_identity.session_context.mfa_authenticated == "false" 22 | and not user_agent.original in ("cloudformation.amazonaws.com", "application-autoscaling.amazonaws.com", "AWS Internal") 23 | and (aws.cloudtrail.user_identity.access_key_id is null or aws.cloudtrail.user_identity.access_key_id == "") 24 | | stats activity_counts = count(*) by event.provider, event.action, aws.cloudtrail.user_identity.arn 25 | '''] -------------------------------------------------------------------------------- /hunting/aws/queries/s3_public_bucket_rapid_object_access_attempts.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunting query identifies when an anonymous user, outside of the known AWS IP ranges, makes multiple `GetObject` requests to a public S3 bucket. Rapid access to objects in a public S3 bucket may indicate an adversary attempting to exfiltrate data or perform reconnaissance on the bucket contents. 5 | """ 6 | integration = ["aws.cloudtrail"] 7 | uuid = "ef579900-75ef-11ef-b47f-f661ea17fbcc" 8 | name = "S3 Public Bucket Rapid Object Access Attempts" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Use the `bucket_name` field to identify the public S3 bucket that the objects were accessed from", 13 | "Use the `bucket_object` field to identify the objects that were accessed", 14 | "Review bucket policies and access control lists (ACLs) to ensure that the bucket is not publicly accessible", 15 | "" 16 | ] 17 | mitre = ["T1530"] 18 | query = [''' 19 | from logs-aws.cloudtrail* 20 | | where @timestamp > now() - 7 day 21 | | where event.provider == "s3.amazonaws.com" and event.action == "GetObject" and cloud.account.id == "anonymous" 22 | and NOT CIDR_MATCH(source.ip, 23 | "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", 24 | "100.64.0.0/10", "169.254.0.0/16", "127.0.0.0/8", 25 | "52.95.0.0/16","54.239.0.0/16", "18.0.0.0/8", 26 | "3.0.0.0/8", "35.0.0.0/8") 27 | | DISSECT aws.cloudtrail.request_parameters "{%{?bucket_name_key}=%{bucket_name}, %{?host_key}=%{bucket_location}, %{?object_key}=%{bucket_object}}" 28 | | STATS s3_bucket_access_count = COUNT(bucket_object) by bucket_name 29 | | WHERE s3_bucket_access_count >= 15 30 | '''] -------------------------------------------------------------------------------- /hunting/aws/queries/ssm_sendcommand_api_used_by_ec2_instance.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | An attacker with compromised EC2 instance credentials, may use those credentials to attempt remote code execution against the EC2 instance from which the credentials were compromised via SSM SendCommand API. 5 | """ 6 | integration = ["aws.cloudtrail"] 7 | uuid = "38454a64-5b55-11ef-b345-f661ea17fbce" 8 | name = "SSM SendCommand API Used by EC2 Instance" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "The indicator that this is an EC2 instance assuming a role and performing the action, is the use of the instance id beginning with -i as the session name.", 13 | "Session name is attached to the end of the `user.id` field and the `aws.cloudtrail.user_identity.arn`." 14 | ] 15 | mitre = ["T1651"] 16 | query = [ 17 | ''' 18 | from logs-aws.cloudtrail-* 19 | | where @timestamp > now() - 7 day 20 | | where event.dataset == "aws.cloudtrail" 21 | and event.provider == "ssm.amazonaws.com" 22 | and aws.cloudtrail.user_identity.type == "AssumedRole" 23 | and event.action == "SendCommand" 24 | and user.id like "*:i-*" 25 | | keep @timestamp, event.provider, event.action, aws.cloudtrail.user_identity.type, user.id, aws.cloudtrail.request_parameters 26 | ''' 27 | ] -------------------------------------------------------------------------------- /hunting/linux/docs/defense_evasion_via_hidden_process_execution.md: -------------------------------------------------------------------------------- 1 | # Hidden Process Execution 2 | 3 | --- 4 | 5 | ## Metadata 6 | 7 | - **Author:** Elastic 8 | - **Description:** This hunt identifies hidden process executions on Linux systems. It detects processes executed from hidden files, which are often used by malicious actors to conceal their activities. By focusing on hidden files rather than directories, this hunt aims to catch stealthy processes while minimizing noise. 9 | 10 | - **UUID:** `00461198-9a2d-4823-b4cc-f3d1b5c17935` 11 | - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) 12 | - **Language:** `[ES|QL]` 13 | - **Source File:** [Hidden Process Execution](../queries/defense_evasion_via_hidden_process_execution.toml) 14 | 15 | ## Query 16 | 17 | ```sql 18 | from logs-endpoint.events.process-* 19 | | where @timestamp > now() - 30 day 20 | | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 21 | process.executable rlike "/[^/]+/\\.[^/]+" 22 | | stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.parent.executable, user.id 23 | // Alter this threshold to make sense for your environment 24 | | where cc <= 3 and host_count <= 3 25 | | sort cc asc 26 | | limit 100 27 | ``` 28 | 29 | ## Notes 30 | 31 | - Included only hidden files, excluding hidden directories, as hidden directories are common in Unix. 32 | - Included a process or parent process count of <= 3, and a host count of <= 3 to eliminate common processes across different hosts. 33 | 34 | ## MITRE ATT&CK Techniques 35 | 36 | - [T1036.004](https://attack.mitre.org/techniques/T1036/004) 37 | - [T1059](https://attack.mitre.org/techniques/T1059) 38 | 39 | ## License 40 | 41 | - `Elastic License v2` 42 | -------------------------------------------------------------------------------- /hunting/linux/docs/defense_evasion_via_multi_dot_process_execution.md: -------------------------------------------------------------------------------- 1 | # Potential Defense Evasion via Multi-Dot Process Execution 2 | 3 | --- 4 | 5 | ## Metadata 6 | 7 | - **Author:** Elastic 8 | - **Description:** This hunt identifies potential defense evasion techniques via multi-dot process execution on Linux systems. It looks for processes with executables that contain three or more consecutive dots in their names. Such naming conventions can be used by malicious actors to evade detection and blend in with legitimate processes. 9 | 10 | - **UUID:** `11810497-8ce3-4960-9777-9d0e97052682` 11 | - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) 12 | - **Language:** `[ES|QL]` 13 | - **Source File:** [Potential Defense Evasion via Multi-Dot Process Execution](../queries/defense_evasion_via_multi_dot_process_execution.toml) 14 | 15 | ## Query 16 | 17 | ```sql 18 | from logs-endpoint.events.process-* 19 | | where @timestamp > now() - 30 day 20 | | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.executable rlike """.*\.{3,}.*""" 21 | | stats cc = count() by process.executable 22 | // Alter this threshold to make sense for your environment 23 | | where cc <= 10 24 | | sort cc asc 25 | | limit 100 26 | ``` 27 | 28 | ## Notes 29 | 30 | - This query identifies processes with executables containing three or more consecutive dots in their names. 31 | - The process count threshold of <= 10 can be adjusted based on the environment's baseline activity. 32 | 33 | ## MITRE ATT&CK Techniques 34 | 35 | - [T1036.004](https://attack.mitre.org/techniques/T1036/004) 36 | - [T1070](https://attack.mitre.org/techniques/T1070) 37 | 38 | ## License 39 | 40 | - `Elastic License v2` 41 | -------------------------------------------------------------------------------- /hunting/linux/docs/low_volume_process_injection_syscalls_by_executable.md: -------------------------------------------------------------------------------- 1 | # Low Volume Process Injection-Related Syscalls by Process Executable 2 | 3 | --- 4 | 5 | ## Metadata 6 | 7 | - **Author:** Elastic 8 | - **Description:** This hunt identifies low volume process injection-related syscalls on Linux systems. It monitors audit logs for syscalls related to process injection, such as ptrace and memfd_create. The hunt focuses on processes that make these syscalls infrequently, which can indicate potential malicious activity. 9 | 10 | - **UUID:** `c9931736-d5ec-4c89-b4d2-d71dcf5ca12a` 11 | - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) 12 | - **Language:** `[ES|QL]` 13 | - **Source File:** [Low Volume Process Injection-Related Syscalls by Process Executable](../queries/low_volume_process_injection_syscalls_by_executable.toml) 14 | 15 | ## Query 16 | 17 | ```sql 18 | from logs-auditd_manager.auditd-*, logs-auditd.log-*, auditbeat-* 19 | | where @timestamp > now() - 30 day 20 | | where host.os.type == "linux" and auditd.data.syscall in ("ptrace", "memfd_create") 21 | | stats cc = count(*) by process.executable, auditd.data.syscall 22 | | where cc <= 10 23 | | limit 100 24 | | sort cc asc 25 | ``` 26 | 27 | ## Notes 28 | 29 | - Monitors for process injection-related syscalls such as ptrace and memfd_create. 30 | - Counts the occurrences of these syscalls by process executable to identify processes that make these syscalls infrequently. 31 | - Focuses on low volume occurrences to detect potential malicious activity related to process injection. 32 | 33 | ## MITRE ATT&CK Techniques 34 | 35 | - [T1055.001](https://attack.mitre.org/techniques/T1055/001) 36 | - [T1055.009](https://attack.mitre.org/techniques/T1055/009) 37 | 38 | ## License 39 | 40 | - `Elastic License v2` 41 | -------------------------------------------------------------------------------- /hunting/linux/docs/privilege_escalation_via_existing_sudoers.md: -------------------------------------------------------------------------------- 1 | # Privilege Escalation Identification via Existing Sudoers File 2 | 3 | --- 4 | 5 | ## Metadata 6 | 7 | - **Author:** Elastic 8 | - **Description:** This hunt identifies entries in the sudoers file on Linux systems using OSQuery. The sudoers file controls which users have administrative privileges and can be a target for attackers seeking to escalate their privileges. This hunt lists all sudoers rules for further analysis. 9 | 10 | - **UUID:** `6e57e6a6-f150-405d-b8be-e4e666a3a86d` 11 | - **Integration:** [endpoint](https://docs.elastic.co/integrations/endpoint) 12 | - **Language:** `[SQL]` 13 | - **Source File:** [Privilege Escalation Identification via Existing Sudoers File](../queries/privilege_escalation_via_existing_sudoers.toml) 14 | 15 | ## Query 16 | 17 | ```sql 18 | SELECT * FROM sudoers 19 | ``` 20 | 21 | ## Notes 22 | 23 | - Lists all entries in the sudoers file using OSQuery to detect potentially unauthorized or suspicious rules. 24 | - Requires additional data analysis and investigation into results to identify malicious or misconfigured sudoers entries. 25 | - Focuses on monitoring and analyzing administrative privileges granted through the sudoers file. 26 | 27 | ## MITRE ATT&CK Techniques 28 | 29 | - [T1548.003](https://attack.mitre.org/techniques/T1548/003) 30 | 31 | ## License 32 | 33 | - `Elastic License v2` 34 | -------------------------------------------------------------------------------- /hunting/linux/queries/command_and_control_via_unusual_file_downloads_from_source_addresses.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies unusual file download activities on Linux systems. It detects instances where commonly used download utilities such as curl and wget are executed with command lines that contain IP addresses, which can indicate potentially suspicious file downloads. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "0d061fad-cf35-43a6-b9b7-986c348bf182" 8 | name = "Unusual File Downloads from Source Addresses" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Detects instances where download utilities like curl and wget are used with IP addresses in their command lines.", 13 | "Monitors for potentially suspicious file downloads, which are often seen in malicious activities.", 14 | "Uses process command line counting in conjunction with host counting to minimize false positives caused by legitimate downloads.", 15 | "The process command line count threshold is set to <= 10, and the host count threshold is set to <= 5 to balance detection and noise." 16 | ] 17 | mitre = ["T1071.001", "T1071.004"] 18 | 19 | query = [ 20 | ''' 21 | from logs-endpoint.events.process-* 22 | | where @timestamp > now() - 7 day 23 | | where host.os.type == "linux" and event.type == "start" and process.name in ("curl", "wget") and process.command_line rlike """.*[0-9]{1,3}(\.[0-9]{1,3}){3}.*""" 24 | | stats cc = count(), host_count = count_distinct(host.id) by process.command_line, process.executable 25 | | where cc <= 10 and host_count <= 5 26 | | sort cc asc 27 | | limit 100 28 | ''' 29 | ] 30 | -------------------------------------------------------------------------------- /hunting/linux/queries/defense_evasion_via_capitalized_process_execution.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies potential defense evasion techniques via capitalized process execution on Linux systems. It detects processes that have two or more consecutive capital letters within their names, which can indicate an attempt to evade detection. Such naming conventions are often used in malicious payloads to blend in with legitimate processes. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "9d485892-1ca2-464b-9e4e-6b21ab379b9a" 8 | name = "Defense Evasion via Capitalized Process Execution" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Detects processes that have two or more consecutive capital letters within their names, with optional digits.", 13 | "This technique is often used in malicious payloads, such as Metasploit payloads, to evade detection.", 14 | "Included a process count of <= 3 and a host count of <= 3 to eliminate common processes across different hosts." 15 | ] 16 | mitre = ["T1036.004", "T1070"] 17 | 18 | query = [ 19 | ''' 20 | from logs-endpoint.events.process-* 21 | | where @timestamp > now() - 10 day 22 | | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and ( 23 | (process.name rlike """[A-Z]{2,}[a-z]{1,}[0-9]{0,}""") or 24 | (process.name rlike """[A-Z]{1,}[0-9]{0,}""") 25 | ) 26 | | stats cc = count(), host_count = count_distinct(host.name) by process.name 27 | // Alter this threshold to make sense for your environment 28 | | where cc <= 3 and host_count <= 3 29 | | limit 100 30 | ''' 31 | ] 32 | -------------------------------------------------------------------------------- /hunting/linux/queries/defense_evasion_via_hidden_process_execution.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies hidden process executions on Linux systems. It detects processes executed from hidden files, which are often used by malicious actors to conceal their activities. By focusing on hidden files rather than directories, this hunt aims to catch stealthy processes while minimizing noise. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "00461198-9a2d-4823-b4cc-f3d1b5c17935" 8 | name = "Hidden Process Execution" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Included only hidden files, excluding hidden directories, as hidden directories are common in Unix.", 13 | "Included a process or parent process count of <= 3, and a host count of <= 3 to eliminate common processes across different hosts.", 14 | ] 15 | mitre = ["T1036.004", "T1059"] 16 | 17 | query = [ 18 | ''' 19 | from logs-endpoint.events.process-* 20 | | where @timestamp > now() - 30 day 21 | | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and 22 | process.executable rlike "/[^/]+/\\.[^/]+" 23 | | stats cc = count(), host_count = count_distinct(host.name) by process.executable, process.parent.executable, user.id 24 | // Alter this threshold to make sense for your environment 25 | | where cc <= 3 and host_count <= 3 26 | | sort cc asc 27 | | limit 100 28 | ''' 29 | ] 30 | -------------------------------------------------------------------------------- /hunting/linux/queries/defense_evasion_via_multi_dot_process_execution.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies potential defense evasion techniques via multi-dot process execution on Linux systems. It looks for processes with executables that contain three or more consecutive dots in their names. Such naming conventions can be used by malicious actors to evade detection and blend in with legitimate processes. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "11810497-8ce3-4960-9777-9d0e97052682" 8 | name = "Potential Defense Evasion via Multi-Dot Process Execution" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "This query identifies processes with executables containing three or more consecutive dots in their names.", 13 | "The process count threshold of <= 10 can be adjusted based on the environment's baseline activity." 14 | ] 15 | mitre = ["T1036.004", "T1070"] 16 | 17 | query = [ 18 | ''' 19 | from logs-endpoint.events.process-* 20 | | where @timestamp > now() - 30 day 21 | | where host.os.type == "linux" and event.type == "start" and event.action == "exec" and process.executable rlike """.*\.{3,}.*""" 22 | | stats cc = count() by process.executable 23 | // Alter this threshold to make sense for your environment 24 | | where cc <= 10 25 | | sort cc asc 26 | | limit 100 27 | ''' 28 | ] 29 | -------------------------------------------------------------------------------- /hunting/linux/queries/excessive_ssh_network_activity_unique_destinations.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies excessive SSH network activity to unique destinations on Linux systems. It monitors network connections over TCP to port 22 (SSH) and counts the number of unique destination IP addresses. A high number of unique destinations could indicate suspicious activity such as discovery or lateral movement. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "223f812c-a962-4d58-961d-134d8f8b15da" 8 | name = "Excessive SSH Network Activity to Unique Destinations" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Monitors network connections to port 22 (SSH) and counts the number of unique destination IP addresses per host and user.", 13 | "A high number of unique destinations can indicate suspicious activity such as discovery or lateral movement.", 14 | "The threshold of 10 unique destinations can be adjusted to suit the environment's baseline activity." 15 | ] 16 | mitre = ["T1021.004", "T1078.003"] 17 | 18 | query = [ 19 | ''' 20 | from logs-endpoint.events.network-* 21 | | where @timestamp > now() - 7 day 22 | | where host.os.type == "linux" and event.category == "network" and network.transport == "tcp" and destination.port == 22 and source.port >= 49152 23 | | keep destination.ip, host.id, user.name 24 | | stats count_unique_dst = count_distinct(destination.ip) by host.id, user.name 25 | // Alter this threshold to make sense for your environment 26 | | where count_unique_dst >= 10 27 | | limit 100 28 | | sort user.name asc 29 | ''' 30 | ] 31 | -------------------------------------------------------------------------------- /hunting/linux/queries/low_volume_process_injection_syscalls_by_executable.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies low volume process injection-related syscalls on Linux systems. It monitors audit logs for syscalls related to process injection, such as ptrace and memfd_create. The hunt focuses on processes that make these syscalls infrequently, which can indicate potential malicious activity. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "c9931736-d5ec-4c89-b4d2-d71dcf5ca12a" 8 | name = "Low Volume Process Injection-Related Syscalls by Process Executable" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Monitors for process injection-related syscalls such as ptrace and memfd_create.", 13 | "Counts the occurrences of these syscalls by process executable to identify processes that make these syscalls infrequently.", 14 | "Focuses on low volume occurrences to detect potential malicious activity related to process injection." 15 | ] 16 | mitre = ["T1055.001", "T1055.009"] 17 | 18 | query = [ 19 | ''' 20 | from logs-auditd_manager.auditd-*, logs-auditd.log-*, auditbeat-* 21 | | where @timestamp > now() - 30 day 22 | | where host.os.type == "linux" and auditd.data.syscall in ("ptrace", "memfd_create") 23 | | stats cc = count(*) by process.executable, auditd.data.syscall 24 | | where cc <= 10 25 | | limit 100 26 | | sort cc asc 27 | ''' 28 | ] 29 | -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_unusual_system_binary_parent.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies potential system binary hijacking attempts on Linux systems. It monitors process execution events where common system binaries such as ls, cat, mkdir, touch, mv, and cp are the parent processes. These activities can indicate attempts to hijack system binaries for malicious purposes. The hunt lists detailed information for further analysis and investigation. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "d22cbe8f-c84d-4811-aa6d-f1ee00c806b2" 8 | name = "Unusual System Binary Parent (Potential System Binary Hijacking Attempt)" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Monitors process execution events where common system binaries such as ls, cat, mkdir, touch, mv, and cp are the parent processes.", 13 | "Focuses on identifying unusual or suspicious child processes spawned by these common system binaries.", 14 | "Uses stats to count occurrences and identify unusual activity by looking at the number of unique hosts and processes involved.", 15 | "Requires additional data analysis and investigation into results to identify malicious or unauthorized use of system binaries." 16 | ] 17 | mitre = ["T1546.004", "T1059.004"] 18 | 19 | query = [ 20 | ''' 21 | from logs-endpoint.events.process-* 22 | | where @timestamp > now() - 30 day 23 | | where host.os.type == "linux" and event.action == "exec" and event.type == "start" and process.parent.name in ("ls", "cat", "mkdir", "touch", "mv", "cp") 24 | | stats cc = count(), host_count = count_distinct(host.name) by process.parent.executable, process.executable 25 | | where host_count <= 5 26 | | sort cc asc 27 | | limit 100 28 | ''' 29 | ] 30 | -------------------------------------------------------------------------------- /hunting/linux/queries/persistence_via_user_group_creation_modification.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies user and group creation or modification activities on Linux systems using OSQuery. It monitors changes to the shadow file, user and group information, and user processes. These activities can indicate potential unauthorized access or privilege escalation attempts. The hunt lists detailed information for further analysis and investigation. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "f00c9757-d21b-432c-90a6-8372f18075d0" 8 | name = "Privilege Escalation/Persistence via User/Group Creation and/or Modification" 9 | language = ["SQL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Monitors changes to the shadow file and user/group information using OSQuery to detect potentially unauthorized access or privilege escalation attempts.", 13 | "Lists detailed information about users, including authentication status and running processes.", 14 | "Requires additional data analysis and investigation into results to identify malicious or unauthorized user and group modifications." 15 | ] 16 | mitre = ["T1136", "T1136.001", "T1136.002"] 17 | 18 | query = [ 19 | ''' 20 | SELECT * FROM shadow 21 | ''', 22 | ''' 23 | SELECT * FROM shadow 24 | WHERE password_status != "locked" 25 | ''', 26 | ''' 27 | SELECT username, gid, uid, shell, description FROM users 28 | WHERE username != 'root' AND uid LIKE "0" 29 | ''', 30 | ''' 31 | SELECT * FROM users WHERE username = "newuser" 32 | ''', 33 | ''' 34 | SELECT * FROM logged_in_users WHERE user = "newuser" 35 | ''', 36 | ''' 37 | SELECT pid, username, name FROM processes p JOIN users u ON u.uid = p.uid ORDER BY username 38 | ''' 39 | ] 40 | -------------------------------------------------------------------------------- /hunting/linux/queries/privilege_escalation_via_existing_sudoers.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies entries in the sudoers file on Linux systems using OSQuery. The sudoers file controls which users have administrative privileges and can be a target for attackers seeking to escalate their privileges. This hunt lists all sudoers rules for further analysis. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "6e57e6a6-f150-405d-b8be-e4e666a3a86d" 8 | name = "Privilege Escalation Identification via Existing Sudoers File" 9 | language = ["SQL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Lists all entries in the sudoers file using OSQuery to detect potentially unauthorized or suspicious rules.", 13 | "Requires additional data analysis and investigation into results to identify malicious or misconfigured sudoers entries.", 14 | "Focuses on monitoring and analyzing administrative privileges granted through the sudoers file." 15 | ] 16 | mitre = ["T1548.003"] 17 | 18 | query = [ 19 | ''' 20 | SELECT * FROM sudoers 21 | ''' 22 | ] 23 | -------------------------------------------------------------------------------- /hunting/llm/docs/aws_bedrock_sensitive_content_refusal_detection.md: -------------------------------------------------------------------------------- 1 | # AWS Bedrock LLM Sensitive Content Refusals 2 | 3 | --- 4 | 5 | ## Metadata 6 | 7 | - **Author:** Elastic 8 | - **Description:** This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards. 9 | - **UUID:** `11e33a8f-805b-4394-bee0-08ae8d78b025` 10 | - **Integration:** [aws_bedrock.invocation](https://docs.elastic.co/integrations/aws_bedrock) 11 | - **Language:** `[ES|QL]` 12 | - **Source File:** [AWS Bedrock LLM Sensitive Content Refusals](../queries/aws_bedrock_sensitive_content_refusal_detection.toml) 13 | 14 | ## Query 15 | 16 | ```sql 17 | from logs-aws_bedrock.invocation-* 18 | | WHERE @timestamp > NOW() - 1 DAY 19 | AND ( 20 | gen_ai.completion LIKE "*I cannot provide any information about*" 21 | AND gen_ai.completion LIKE "*end_turn*" 22 | ) 23 | | STATS user_request_count = count() BY gen_ai.user.id 24 | | WHERE user_request_count >= 3 25 | ``` 26 | 27 | ## Notes 28 | 29 | - Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent or probing of model boundaries. 30 | - Regularly review and update the phrases that trigger refusals to adapt to new ethical guidelines and compliance requirements. 31 | - Ensure that data logs contain enough detail to provide context around the refusal, which will aid in subsequent investigations by security teams. 32 | 33 | ## MITRE ATT&CK Techniques 34 | 35 | - [AML.T0051](https://atlas.mitre.org/techniques/AML.T0051) 36 | 37 | ## References 38 | 39 | - https://www.elastic.co/security-labs/elastic-advances-llm-security 40 | - https://owasp.org/www-project-top-10-for-large-language-model-applications/ 41 | 42 | ## License 43 | 44 | - `Elastic License v2` 45 | -------------------------------------------------------------------------------- /hunting/llm/queries/aws_bedrock_latency_anomalies_detection.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This analytic helps identify delays in LLM responses that are outside expected performance parameters, possibly due to malicious disruptions like DDoS attacks or from operational inefficiencies. 5 | """ 6 | integration = ["aws_bedrock.invocation"] 7 | uuid = "991b55c3-6327-4af6-8e0c-5d4870748369" 8 | name = "AWS Bedrock LLM Latency Anomalies" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | query = [ 12 | ''' 13 | from logs-aws_bedrock.invocation-* 14 | | WHERE @timestamp > NOW() - 1 DAY 15 | | EVAL response_delay_seconds = gen_ai.performance.start_response_time / 1000 16 | | WHERE response_delay_seconds > 5 17 | | STATS max_response_delay = max(response_delay_seconds), 18 | request_count = count() BY gen_ai.user.id 19 | | WHERE request_count > 3 20 | | SORT max_response_delay DESC 21 | ''' 22 | ] 23 | notes = [ 24 | "Review the incidents flagged by this analytic to understand the context and potential sources of latency. This can include network configurations, resource allocation, or external network pressures.", 25 | "Effective logging and monitoring setup are essential to capture relevant latency metrics accurately. Ensure system clocks and time syncing are properly configured to avoid false positives.", 26 | "Gather comprehensive logs that detail the request and response timestamps, user IDs, and session details for thorough investigation and evidence collection in case of security incidents." 27 | ] 28 | mitre = ["AML.T0029"] 29 | references = ["https://www.elastic.co/security-labs/elastic-advances-llm-security", 30 | "https://owasp.org/www-project-top-10-for-large-language-model-applications/"] 31 | -------------------------------------------------------------------------------- /hunting/llm/queries/aws_bedrock_sensitive_content_refusal_detection.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = "This analytic flags multiple instances of LLM refusals to respond to sensitive prompts, helping to maintain ethical guidelines and compliance standards." 4 | integration = ["aws_bedrock.invocation"] 5 | uuid = "11e33a8f-805b-4394-bee0-08ae8d78b025" 6 | name = "AWS Bedrock LLM Sensitive Content Refusals" 7 | language = ["ES|QL"] 8 | license = "Elastic License v2" 9 | query = [ 10 | ''' 11 | from logs-aws_bedrock.invocation-* 12 | | WHERE @timestamp > NOW() - 1 DAY 13 | AND ( 14 | gen_ai.completion LIKE "*I cannot provide any information about*" 15 | AND gen_ai.completion LIKE "*end_turn*" 16 | ) 17 | | STATS user_request_count = count() BY gen_ai.user.id 18 | | WHERE user_request_count >= 3 19 | ''' 20 | ] 21 | notes = [ 22 | "Examine flagged interactions for patterns or anomalies in user requests that may indicate malicious intent or probing of model boundaries.", 23 | "Regularly review and update the phrases that trigger refusals to adapt to new ethical guidelines and compliance requirements.", 24 | "Ensure that data logs contain enough detail to provide context around the refusal, which will aid in subsequent investigations by security teams." 25 | ] 26 | mitre = ["AML.T0051"] 27 | references = ["https://www.elastic.co/security-labs/elastic-advances-llm-security", 28 | "https://owasp.org/www-project-top-10-for-large-language-model-applications/"] 29 | -------------------------------------------------------------------------------- /hunting/macos/queries/command_and_control_suspicious_executable_file_creation_via_python.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | name = "Suspcious Executable File Creation via Python" 4 | uuid = "9aaf1113-cf7a-4fd7-b796-f6456fdaffb5" 5 | description = """ 6 | Detects suspicious creation of executable files by Python processes in commonly abused directories 7 | on macOS systems. These locations, such as /Users/Shared, /tmp, or /private/tmp, are frequently used by adversaries 8 | and post-exploitation frameworks to stage or drop payloads. The detection leverages the ELF or Mach-O magic bytes 9 | to confirm executables are written to disk. 10 | """ 11 | integration = ["endpoint"] 12 | language = ["EQL"] 13 | license = "Elastic License v2" 14 | mitre = ["T1059.006", "T1105"] 15 | notes = [ 16 | "Creation or modification of executable binaries in these directories is odd and rare in normal operations.", 17 | "This hunt is useful for detecting dropper-style behavior during post-exploitation or initial access." 18 | ] 19 | query = [ 20 | ''' 21 | file where event.action == "modification" and 22 | process.name like~ "python*" and 23 | file.Ext.header_bytes like~ ("cffaedfe*", "cafebabe*") and 24 | file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Users/*/Public/*") and 25 | not file.extension in ("dylib", "so") 26 | ''' 27 | ] 28 | references = [ 29 | "https://www.elastic.co/security-labs/dprk-code-of-conduct", 30 | "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/", 31 | "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34", 32 | "https://x.com/safe/status/1897663514975649938", 33 | "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" 34 | ] 35 | -------------------------------------------------------------------------------- /hunting/macos/queries/defense_evasion_python_library_load_and_delete.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | name = "Python Library Load and Delete" 4 | uuid = "76a1f901-4495-4cbd-a35a-7ff8d116602b" 5 | description = """ 6 | Detects when a Python process loads a library from a user's home directory and then deletes that library within a short time window. This may indicate an attempt to execute malicious code in memory and remove evidence from disk as a form of defense evasion. 7 | """ 8 | integration = ["endpoint"] 9 | language = ["EQL"] 10 | license = "Elastic License v2" 11 | mitre = ["T1059.006", "T1070.004"] 12 | notes = [ 13 | "This hunting rule helps identify potential in-memory execution or anti-forensic behavior by Python-based malware.", 14 | "Library load followed by quick deletion is suspicious, especially in user directories.", 15 | "Consider pivoting on `process.entity_id` to examine surrounding process activity and file writes." 16 | ] 17 | query = [ 18 | ''' 19 | sequence by process.entity_id with maxspan=15s 20 | [library where event.action == "load" and dll.path like "/Users/*" and process.name like~ "python"] 21 | [file where event.action == "deletion" and startswith~(file.path, dll.path)] 22 | ''' 23 | ] 24 | references = [ 25 | "https://www.elastic.co/security-labs/dprk-code-of-conduct", 26 | "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/", 27 | "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34", 28 | "https://x.com/safe/status/1897663514975649938", 29 | "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" 30 | ] -------------------------------------------------------------------------------- /hunting/macos/queries/defense_evasion_self_deleted_python_script_accessing_sensitive_files.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | name = "Self-Deleted Python Script Accessing Sensitive Files" 4 | uuid = "7ab00c3d-0ed3-4e4b-9806-b19959bf6b12" 5 | description = """ 6 | Detects access to potentially sensitive files by a Python script that deletes itself from disk. This behavior is characteristic of sophisticated malware that executes from memory and avoids leaving behind forensic artifacts. Notably used in high-profile DPRK-linked financial heists. 7 | """ 8 | integration = ["endpoint"] 9 | language = ["EQL"] 10 | license = "Elastic License v2" 11 | mitre = ["T1059.006", "T1070.004", "T1552.001"] 12 | notes = [ 13 | "This hunt detects Python-based scripts that self-delete and continue to access sensitive files (e.g., AWS credentials, SSH keys, keychains).", 14 | "File paths in this logic can be enriched or customized to detect access to specific secrets in your environment.", 15 | "Ideal for detecting evasive memory-resident malware and credential theft operations." 16 | ] 17 | query = [ 18 | ''' 19 | sequence by process.entity_id with maxspan=15s 20 | [file where event.action == "deletion" and file.extension in ("py", "pyc") and process.name like~ "python*"] 21 | [file where event.action == "open"] 22 | ''' 23 | ] 24 | references = [ 25 | "https://www.elastic.co/security-labs/dprk-code-of-conduct", 26 | "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/", 27 | "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34", 28 | "https://x.com/safe/status/1897663514975649938", 29 | "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" 30 | ] -------------------------------------------------------------------------------- /hunting/macos/queries/defense_evasion_self_deleting_python_script.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | name = "Self-Deleting Python Script" 4 | uuid = "6461f45e-b03f-4756-94d2-34a210caeb78" 5 | description = """ 6 | Detects when a Python script is executed and then deletes itself within a short time window. This behavior is often observed in malware used by DPRK threat actors to remove traces post-execution and avoid detection. 7 | """ 8 | integration = ["endpoint"] 9 | language = ["EQL"] 10 | license = "Elastic License v2" 11 | mitre = ["T1059.006", "T1070.004"] 12 | notes = [ 13 | "Self-deletion of Python scripts is commonly used to evade detection and forensic recovery.", 14 | "This hunt is effective at uncovering ephemeral post-exploitation scripts or loaders.", 15 | "You may pivot on `file.path`, `process.args`, and `process.executable` to understand intent and targets." 16 | ] 17 | query = [ 18 | ''' 19 | sequence by process.entity_id with maxspan=10s 20 | [process where event.type == "start" and event.action == "exec" and 21 | process.name like~ "python*" and process.args_count == 2 and 22 | process.args like ("/Users/Shared/*.py", "/tmp/*.py", "/private/tmp/*.py", "/Users/*/Public/*.py")] 23 | [file where event.action == "deletion" and 24 | file.extension in ("py", "pyc") and 25 | file.path like ("/Users/Shared/*", "/tmp/*", "/private/tmp/*", "/Users/*/Public/*")] 26 | ''' 27 | ] 28 | references = [ 29 | "https://www.elastic.co/security-labs/dprk-code-of-conduct", 30 | "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/", 31 | "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34", 32 | "https://x.com/safe/status/1897663514975649938", 33 | "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" 34 | ] -------------------------------------------------------------------------------- /hunting/macos/queries/execution_python_script_drop_and_execute.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | name = "Python Script Drop and Execute" 4 | uuid = "76f10746-9527-4c99-8ed8-491085ecdcfd" 5 | description = """ 6 | Detects when a Python script is written to disk within a user's home directory and then immediately executed by the same process lineage. This pattern is commonly observed in initial access payload delivery or script-based malware staging. 7 | """ 8 | integration = ["endpoint"] 9 | language = ["EQL"] 10 | license = "Elastic License v2" 11 | mitre = ["T1059.006", "T1105"] 12 | notes = [ 13 | "This hunt is designed to catch malicious tooling written and executed rapidly by Python processes.", 14 | "This technique is often used by downloaders or droppers that write staging scripts and immediately run them.", 15 | "Consider pivoting on `process.entity_id` and `file.path` to view subsequent behavior." 16 | ] 17 | query = [ 18 | ''' 19 | sequence with maxspan=15s 20 | [file where event.action == "modification" and process.name like~ "python*" and 21 | file.extension == "py" and file.path like "/Users/*"] by process.entity_id 22 | [process where event.type == "start" and event.action == "exec" and 23 | process.args_count == 2 and process.args like "/Users/*"] by process.parent.entity_id 24 | ''' 25 | ] 26 | references = [ 27 | "https://www.elastic.co/security-labs/dprk-code-of-conduct", 28 | "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/", 29 | "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34", 30 | "https://x.com/safe/status/1897663514975649938", 31 | "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" 32 | ] -------------------------------------------------------------------------------- /hunting/macos/queries/execution_suspicious_executable_file_modification_via_docker.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | name = "Suspicious Executable File Modification via Docker" 4 | uuid = "f5b1afc4-207c-11f0-aa05-f661ea17fbcd" 5 | description = """ 6 | Detects when Docker or Docker Desktop processes modify executable files within user-accessible or temporary directories. These locations are commonly used by attackers to stage payloads or drop binaries during post-exploitation activity. 7 | """ 8 | integration = ["endpoint"] 9 | language = ["EQL"] 10 | license = "Elastic License v2" 11 | mitre = ["T1105", "T1204.002"] 12 | notes = [ 13 | "Executable file writes from Docker processes in user or temp directories are suspicious in most environments.", 14 | "This behavior may indicate container escape attempts, tool staging, or post-exploitation binary drops.", 15 | "The header byte patterns 'cffaedfe' (Mach-O) and 'cafebabe' (Java class files) help identify actual executables being written." 16 | ] 17 | query = [ 18 | ''' 19 | file where event.action == "modification" and 20 | (process.name in ("docker", "Docker Desktop") or process.name like "com.docker*") and 21 | file.Ext.header_bytes like~ ("cffaedfe*", "cafebabe*") and 22 | file.path like ("/tmp/*", "/private/tmp/*", "/Users/Shared/*", "/Users/*/Public/*", "/Users/*/Downloads/*", "/Users/*/Desktop/*", "/Users/*/Documents/*") 23 | ''' 24 | ] 25 | references = [ 26 | "https://www.elastic.co/security-labs/dprk-code-of-conduct", 27 | "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/", 28 | "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34", 29 | "https://x.com/safe/status/1897663514975649938", 30 | "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" 31 | ] -------------------------------------------------------------------------------- /hunting/macos/queries/execution_suspicious_file_access_via_docker.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | name = "Sensitive File Access via Docker" 4 | uuid = "fb136106-207c-11f0-aa05-f661ea17fbcd" 5 | description = """ 6 | Detects Docker or Docker Desktop processes accessing potentially sensitive host files, including SSH keys, cloud provider credentials, browser data, or crypto wallet files. This behavior may indicate container escape attempts, data harvesting from the host, or misconfigured volume mounts exposing secrets. 7 | """ 8 | integration = ["endpoint"] 9 | language = ["EQL"] 10 | license = "Elastic License v2" 11 | mitre = ["T1083", "T1552.001"] 12 | notes = [ 13 | "Docker processes accessing sensitive host files may suggest attempts to harvest credentials from the host system.", 14 | "You may enrich this detection by adding file paths for `.aws/credentials`, `.ssh/id_rsa`, `keychain`, or `Cookies`.", 15 | "Consider filtering legitimate developer use cases or adjusting for specific containers if needed." 16 | ] 17 | query = [ 18 | ''' 19 | file where event.action == "open" and 20 | (process.name in ("docker", "Docker Desktop") or process.name like "com.docker*") and 21 | not file.name in ("System.keychain", "login.keychain-db") 22 | ''' 23 | ] 24 | references = [ 25 | "https://www.elastic.co/security-labs/dprk-code-of-conduct", 26 | "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/", 27 | "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34", 28 | "https://x.com/safe/status/1897663514975649938", 29 | "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" 30 | ] -------------------------------------------------------------------------------- /hunting/macos/queries/execution_unusual_library_load_via_python.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | name = "Unusual Library Load via Python" 4 | uuid = "d9b30b84-dc53-413c-a7e4-f42078b10048" 5 | description = """ 6 | Detects when a library is loaded from a user's home directory by a Python process and the loaded file is not a typical shared object (.so) or dynamic library (.dylib). This may indicate side-loading of malicious or non-standard files in script-based execution environments. 7 | """ 8 | integration = ["endpoint"] 9 | language = ["EQL"] 10 | license = "Elastic License v2" 11 | mitre = ["T1059.006"] 12 | notes = [ 13 | "Loading libraries from /Users is rare and may suggest untrusted or attacker-deployed components.", 14 | "This hunt helps uncover suspicious Python-driven library loads that bypass traditional extension-based detection.", 15 | "Consider tuning to exclude known development or research environments that store legitimate libraries in home directories." 16 | ] 17 | query = [ 18 | ''' 19 | library where event.action == "load" and 20 | dll.path like "/Users/*" and 21 | process.name like~ "python*" and 22 | not dll.name : ("*.so", "*.dylib") 23 | ''' 24 | ] 25 | references = [ 26 | "https://www.elastic.co/security-labs/dprk-code-of-conduct", 27 | "https://unit42.paloaltonetworks.com/slow-pisces-new-custom-malware/", 28 | "https://slowmist.medium.com/cryptocurrency-apt-intelligence-unveiling-lazarus-groups-intrusion-techniques-a1a6efda7d34", 29 | "https://x.com/safe/status/1897663514975649938", 30 | "https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/" 31 | ] -------------------------------------------------------------------------------- /hunting/macos/queries/persistence_via_suspicious_launch_agent_or_launch_daemon_with_low_occurrence.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt looks for persistence via Launch agent or daemon where the distribution is limited to one unique host. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "69fc4f40-8fb1-4652-99b7-52755cd370fe" 8 | name = "Low Occurrence of Suspicious Launch Agent or Launch Daemon" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Further investigation can done pivoting by `Persistence.name` and `args`.", 13 | ] 14 | mitre = [ "T1547", "T1547.011", "T1543", "T1543.001", "T1543.004"] 15 | query = [ 16 | ''' 17 | from logs-endpoint.events.file-* 18 | | where @timestamp > now() - 7 day 19 | | where host.os.family == "macos" and event.category == "file" and event.action == "launch_daemon" and 20 | (Persistence.runatload == true or Persistence.keepalive == true) and process.executable is not null 21 | | eval args = MV_CONCAT(Persistence.args, ",") 22 | /* normalizing users home profile */ 23 | | eval args = replace(args, """/Users/[a-zA-Z0-9ñ\.\-\_\$~ ]+/""", "/Users/user/") 24 | | stats agents = count_distinct(host.id), total = count(*) by process.name, Persistence.name, args 25 | | where starts_with(args, "/") and agents == 1 and total == 1 26 | ''' 27 | ] -------------------------------------------------------------------------------- /hunting/okta/queries/credential_access_mfa_bombing_push_notications.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunting query identifies MFA bombing attacks in Okta. Adversaries may attempt to flood a user with multiple MFA push notifications to disrupt operations or gain unauthorized access to accounts. This query identifies when a user has more than 5 MFA deny push notifications in a 10 minute window. 5 | """ 6 | integration = ["okta"] 7 | uuid = "223451b0-6eca-11ef-a070-f661ea17fbcc" 8 | name = "Rapid MFA Deny Push Notifications (MFA Bombing)" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "`okta.actor.alternate_id` is the targeted user account.", 13 | "Pivot and search for `event.action` is `user.authentication.auth_via_mfa` to determine if the target user accepted the MFA push notification.", 14 | "If a MFA bombing attack is suspected, both username and password are required prior to MFA push notifications. Thus the credentials are likely compromised.", 15 | ] 16 | mitre = ['T1621'] 17 | query = [ 18 | """ 19 | from logs-okta* 20 | | where @timestamp > NOW() - 7 day 21 | 22 | // Truncate the timestamp to 10 minute windows 23 | | eval target_time_window = DATE_TRUNC(10 minutes, @timestamp) 24 | 25 | // Filter for MFA deny push notifications 26 | | where event.action == "user.mfa.okta_verify.deny_push" 27 | 28 | // Count the number of MFA deny push notifications for each user in each 10 minute window 29 | | stats deny_push_count = count(*) by target_time_window, okta.actor.alternate_id 30 | 31 | // Filter for users with more than 5 MFA deny push notifications 32 | | where deny_push_count >= 5 33 | """ 34 | ] -------------------------------------------------------------------------------- /hunting/okta/queries/initial_access_impossible_travel_sign_on.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunting query identifies when a user successfully signs on from more than one country in a 15 minute interval. Adversaries may compromise authentication credentials for users or clients and attempt to authenticate from a separate country that the user has not previously authenticated from. 5 | """ 6 | integration = ["okta"] 7 | uuid = "31585786-71f4-11ef-9e99-f661ea17fbcc" 8 | name = "Successful Impossible Travel Sign-On Events" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "`okta.actor.alternate_id` would be target of the threat adversary", 13 | "Pivoting into a potential compromise requires an additional search for `okta.outcome.result` being `SUCCESS` for any `user.authentication*` value for `okta.event_type`", 14 | "Pivot to any additional Okta logs after authentication to determine if activity is still being reported by separate countries." 15 | ] 16 | mitre = ['T1078.004'] 17 | query = [''' 18 | from logs-okta.system* 19 | | where @timestamp > NOW() - 7 day 20 | | where event.dataset == "okta.system" 21 | 22 | // filter on successful sign-on events only 23 | and okta.event_type == "policy.evaluate_sign_on" 24 | and okta.outcome.result in ("ALLOW", "SUCCESS") 25 | 26 | // Truncate the timestamp to 1 hour intervals 27 | | eval time_window = DATE_TRUNC(1 hours, @timestamp) 28 | 29 | // Count the number of successful sign-on events for each user every 15 minutes 30 | | stats country_count = count_distinct(client.geo.country_name) by okta.actor.alternate_id, time_window 31 | 32 | // Filter for users who sign on from more than one country in a 15 minute interval 33 | | where country_count >= 2 34 | '''] -------------------------------------------------------------------------------- /hunting/okta/queries/persistence_multi_factor_push_notification_bombing.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunting query identifies when a user denies multiple push notifications for multi-factor authentication (MFA) in rapid succession. Adversaries may attempt to deny push notifications to flood the target user's device with notifications, causing the user to ignore legitimate notifications or potentially disable MFA. This query identifies when a user denies more than 5 push notifications in a single hour. 5 | """ 6 | integration = ["okta"] 7 | uuid = "7c51fe3e-6ae9-11ef-919d-f661ea17fbcc" 8 | name = "Multi-Factor Authentication (MFA) Push Notification Bombing" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "`okta.actor.alternate_id` would be target of the threat adversary", 13 | "Pivoting into a potential compromise requires an additional search for `okta.outcome.result` being `SUCCESS` for any `user.authentication*` value for `okta.event_type`", 14 | "For a smaller window (rapid denies), reduce from 1 hour to 30 minutes or lower" 15 | ] 16 | mitre = ['T1556.006'] 17 | query = [''' 18 | from logs-okta.system* 19 | | where @timestamp > NOW() - 7 day 20 | 21 | // Filter for deny push notifications for multi-factor authentication 22 | | where event.dataset == "okta.system" and event.action == "user.mfa.okta_verify.deny_push" 23 | 24 | // Truncate the timestamp to hourly intervals 25 | | eval hourly_count = date_trunc(1 hour, event.ingested) 26 | 27 | // Count the number of deny push notifications for each user every hour 28 | | stats hourly_denies = count(*) by okta.actor.alternate_id, hourly_count 29 | 30 | // Filter for users who deny more than 5 push notifications in a single hour 31 | | where hourly_denies > 5 32 | '''] -------------------------------------------------------------------------------- /hunting/windows/docs/createremotethread_by_source_process_with_low_occurrence.md: -------------------------------------------------------------------------------- 1 | # Low Occurrence Rate of CreateRemoteThread by Source Process 2 | 3 | --- 4 | 5 | ## Metadata 6 | 7 | - **Author:** Elastic 8 | - **Description:** This hunt attempts to identify remote process injection by aggregating Sysmon `CreateRemoteThread` events by source process and returns the ones that we observed in only one unique host. 9 | - **UUID:** `4f878255-53b8-4914-9a7d-4b668bd2ea6a` 10 | - **Integration:** [windows](https://docs.elastic.co/integrations/windows) 11 | - **Language:** `[ES|QL]` 12 | - **Source File:** [Low Occurrence Rate of CreateRemoteThread by Source Process](../queries/createremotethread_by_source_process_with_low_occurrence.toml) 13 | 14 | ## Query 15 | 16 | ```sql 17 | from logs-windows.sysmon_operational-* 18 | | where @timestamp > now() - 7 day 19 | | where host.os.family == "windows" and event.category == "process" and event.action == "CreateRemoteThread" 20 | | eval source_process = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") 21 | | stats cc = count(*), hosts = count_distinct(host.id) by source_process 22 | /* unique source and target processes combined and observed in 1 host */ 23 | | where hosts == 1 and cc == 1 24 | ``` 25 | 26 | ## Notes 27 | 28 | - Adding `winlog.event_data.TargetImage` to the aggregation clause can be beneficial but may introduce more false-positives. 29 | 30 | ## MITRE ATT&CK Techniques 31 | 32 | - [T1055](https://attack.mitre.org/techniques/T1055) 33 | 34 | ## License 35 | 36 | - `Elastic License v2` 37 | -------------------------------------------------------------------------------- /hunting/windows/queries/createremotethread_by_source_process_with_low_occurrence.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = "This hunt attempts to identify remote process injection by aggregating Sysmon `CreateRemoteThread` events by source process and returns the ones that we observed in only one unique host." 4 | integration = ["windows"] 5 | uuid = "4f878255-53b8-4914-9a7d-4b668bd2ea6a" 6 | name = "Low Occurrence Rate of CreateRemoteThread by Source Process" 7 | language = ["ES|QL"] 8 | license = "Elastic License v2" 9 | notes = [ 10 | "Adding `winlog.event_data.TargetImage` to the aggregation clause can be beneficial but may introduce more false-positives.", 11 | ] 12 | mitre = ["T1055"] 13 | query = [ 14 | ''' 15 | from logs-windows.sysmon_operational-* 16 | | where @timestamp > now() - 7 day 17 | | where host.os.family == "windows" and event.category == "process" and event.action == "CreateRemoteThread" 18 | | eval source_process = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9ñ\.\-\_\$~ ]+\\""", "C:\\\\users\\\\user\\\\") 19 | | stats cc = count(*), hosts = count_distinct(host.id) by source_process 20 | /* unique source and target processes combined and observed in 1 host */ 21 | | where hosts == 1 and cc == 1 22 | ''' 23 | ] -------------------------------------------------------------------------------- /hunting/windows/queries/excessive_smb_network_activity_by_process_id.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt looks for a high occurrence of SMB connections from the same process by unique destination IP addresses. The number of unique destination IP addresses is compared to a defined threshold. This could be a sign of SMB scanning or lateral movement via remote services that depend on the SMB protocol. 5 | """ 6 | integration = ["endpoint", "windows"] 7 | uuid = "8a95f552-f149-4c71-888e-f2690f5add15" 8 | name = "Excessive SMB Network Activity by Process ID" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Further investigation can done pivoting by `process.entity_id` and `host.id.`", 13 | "Maximum number of unique `destination.ip` by process can be adjusted to your environment to reduce normal noisy hosts by process ID.",] 14 | mitre = [ "T1021", "T1021.002",] 15 | query = [ 16 | ''' 17 | from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* 18 | | where @timestamp > now() - 7 day and 19 | host.os.family == "windows" and event.category == "network" and network.direction == "egress" and 20 | network.transport == "tcp"and destination.port == 445 and source.port >= 49152 and process.pid == 4 21 | | keep destination.ip, process.entity_id, host.id 22 | | stats count_unique_dst = count_distinct(destination.ip) by process.entity_id, host.id 23 | /* threshold set to 20 but can be adjusted to reduce normal baseline in your env */ 24 | | where count_unique_dst >= 20 25 | ''' 26 | ] -------------------------------------------------------------------------------- /hunting/windows/queries/execution_via_remote_services_by_client_address.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt aggregates process execution via remote network logon by source address, account name and where the parent process is related to remote services such as WMI, WinRM, DCOM and remote PowerShell. This may indicate lateral movement via remote services. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "5fd5da54-0515-4d6b-b8d7-30fd05f5be33" 8 | name = "Execution via Remote Services by Client Address" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "`process.Ext.session_info.*` is populated for Elastic Defend versions 8.6.0+.", 13 | ] 14 | mitre = [ "T1021", "T1021.003", "T1021.006", "T1047"] 15 | 16 | query = [ 17 | ''' 18 | from logs-endpoint.events.process-* 19 | | where @timestamp > now() - 7 day and host.os.family == "windows" and 20 | event.category == "process" and event.action == "start" and 21 | /* network logon type */ 22 | process.Ext.session_info.logon_type == "Network" and 23 | (process.parent.name .caseless in ("wmiprvse.exe", "wsmprovhost.exe", "winrshost.exe") or (process.parent.name == "svchost.exe" and process.parent.args == "DcomLaunch")) 24 | | stats total = count(*), hosts = count_distinct(host.id) by process.Ext.session_info.client_address, user.name, process.parent.name 25 | /* sort by top source.ip and account */ 26 | | sort total desc 27 | ''' 28 | ] -------------------------------------------------------------------------------- /hunting/windows/queries/execution_via_windows_scheduled_task_with_low_occurrence_frequency.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | Aggregating by paths/hash, this hunt identifies rare instances where a program executes as a child process of the Tasks Scheduler service. This could be the result of persistence as a Windows Scheduled Task. 5 | """ 6 | integration = ["endpoint", "windows"] 7 | uuid = "0d960760-8a40-49c1-bbdd-4deb32c7fd67" 8 | name = "Low Frequency of Process Execution via Windows Scheduled Task by Unique Agent" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Windows security event 4688 lacks `process.parent.command_line` needed for this hunt to identify the Schedule `svchost` instance.", 13 | "Unique `process.hash.sha256` and agent is not necessarily malicious, however this helps surface signals worth further investigation.", 14 | ] 15 | mitre = [ "T1053", "T1053.005"] 16 | query = [ 17 | ''' 18 | from logs-endpoint.events.process-*, logs-windows.sysmon_operational-* 19 | | where @timestamp > now(-) - 7 day 20 | | where host.os.family == "windows" and event.category == "process" and 21 | event.action in ("start", "Process creation") and process.code_signature.trusted != true and 22 | /* child process of the Tasks Schedule service */ 23 | process.parent.name == "svchost.exe" and ends_with(process.parent.command_line, "Schedule") 24 | | stats hosts = count_distinct(host.id) by process.hash.sha256, process.name 25 | /* unique hash observed in one unique agent */ 26 | | where hosts == 1 27 | ''' 28 | ] -------------------------------------------------------------------------------- /hunting/windows/queries/microsoft_office_child_processes_with_low_occurrence_frequency.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt looks for Microsoft Office child processes with low occurrence frequency. This could be a normal rare behavior as well as potential execution via a malicious document. Adversaries may use Microsoft Office applications to execute malicious code, such as macros, scripts, or other payloads. 5 | """ 6 | integration = ["endpoint", "windows", "system"] 7 | uuid = "f1b8519a-4dae-475f-965a-f53559233eab" 8 | name = "Microsoft Office Child Processes with Low Occurrence Frequency by Unique Agent" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Certain processes like `WerFault.exe`, `dw20.exe` and `dwwin.exe` are often related to application crash.", 13 | "Closer attention should be attributed to lolbins and unsigned executables (Windows 4688 is not capturing process code signature information).", 14 | ] 15 | mitre = [ "T1566", "T1566.001"] 16 | query = [ 17 | ''' 18 | from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* 19 | | where host.os.family == "windows" and @timestamp > NOW() - 15 day and 20 | event.category == "process" and event.action in ("start", "Process creation", "created-process") and 21 | to_lower(process.parent.name) in ("winword.exe", "excel.exe", "powerpnt.exe") and not starts_with(process.executable, "C:\\Program Files") 22 | // normalize user home profile paths 23 | | eval process_path = replace(to_lower(process.executable), """[c]:\\[u][s][e][r][s]\\[a-zA-Z0-9\.\-\_\$]+\\""", "c:\\\\users\\\\user\\\\") 24 | | stats occurrences = count(*), agents = count_distinct(agent.id) by process_path, process.parent.name 25 | | where occurrences == 1 and agents == 1 26 | ''' 27 | ] -------------------------------------------------------------------------------- /hunting/windows/queries/pe_file_transfer_via_smb_admin_shares_by_agent.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt looks for a high number of executable file transfers via the SMB protocol by the same user or agent to more than a defined maxium threshold of targets. This could be a sign of lateral movement via the Windows Admin Shares. 5 | """ 6 | integration = ["endpoint"] 7 | uuid = "814894a4-c951-4f33-ab0b-09354e1cb957" 8 | name = "PE File Transfer via SMB_Admin Shares by Agent or User" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Further investigation can done pivoting by `host.id` and `user.name`.", 13 | ] 14 | mitre = [ "T1021", "T1021.002"] 15 | query = [ 16 | ''' 17 | from logs-endpoint.events.file-* 18 | | where @timestamp > now() - 7 day 19 | | where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and 20 | starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) 21 | | stats agents = count_distinct(host.id), total = count(*) by user.name 22 | | where agents == 1 and total <= 3 23 | ''', 24 | ''' 25 | from logs-endpoint.events.file-* 26 | | where @timestamp > now() - 7 day 27 | | where host.os.family == "windows" and event.category == "file" and event.action != "deletion" and process.pid == 4 and 28 | starts_with(file.Ext.header_bytes, "4d5a*") and (starts_with(user.id, "S-1-5-21-") or starts_with(user.id, "S-1-12-1-")) 29 | | stats agents = count_distinct(host.id), total = count(*) by user.name 30 | /* threshold set to 10 but can be adjusted to reduce normal baseline in your env */ 31 | | where agents >= 10 32 | ''' 33 | ] -------------------------------------------------------------------------------- /hunting/windows/queries/suspicious_base64_encoded_powershell_commands.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt identifies base64 encoded powershell commands in process start events and filters ones with suspicious keywords like downloaders and evasion related commands. 5 | """ 6 | integration = ["endpoint", "windows", "system"] 7 | uuid = "2e583d3c-7ad6-4544-a0db-c685b2066493" 8 | name = "Suspicious Base64 Encoded Powershell Command" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "This hunt can be expanded to include more evasion techniques and downloaders.", 13 | "Pivoting by `agent.id` can provide more context on the affected hosts." 14 | ] 15 | mitre = [ "T1059", "T1059.001", "T1027", "T1027.010"] 16 | query = [ 17 | ''' 18 | from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* 19 | | where host.os.type == "windows" and event.category == "process" and event.type == "start" and TO_LOWER(process.name) == "powershell.exe" and process.command_line rlike ".+ -(e|E).*" 20 | | keep agent.id, process.command_line 21 | /* simplified regex to extract base64 encoded blob */ 22 | | grok process.command_line """(?([A-Za-z0-9+/]+={1,2}$|[A-Za-z0-9+/]{100,}))""" 23 | | where base64_data is not null 24 | /* base64 decode added in 8.14 */ 25 | | eval decoded_base64_cmdline = replace(TO_LOWER(FROM_BASE64(base64_data)), """\u0000""", "") 26 | /* most common suspicious keywords, you can add more patterns here */ 27 | | where decoded_base64_cmdline rlike """.*(http|webclient|download|mppreference|sockets|bxor|.replace|reflection|assembly|load|bits|start-proc|iwr|frombase64).*""" 28 | | keep agent.id, process.command_line, decoded_base64_cmdline 29 | ''' 30 | ] 31 | -------------------------------------------------------------------------------- /hunting/windows/queries/suspicious_dns_txt_record_lookups_by_process.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | Leveraging aggregation by process executable entities, this hunt identifies identifies a high number of DNS TXT record queries from same process. 5 | Adversaries may leverage DNS TXT queries to stage malicious content or exfiltrate data. 6 | """ 7 | integration = ["endpoint", "windows"] 8 | uuid = "7a2c8397-d219-47ad-a8e2-93562e568d08" 9 | name = "Suspicious DNS TXT Record Lookups by Process" 10 | language = ["ES|QL"] 11 | license = "Elastic License v2" 12 | notes = [ 13 | "This hunt returns a list of processes unique pids and executable paths that performs a high number of DNS TXT lookups.", 14 | "Pivoting by `process.entity_id` will allow further investigation (parent process, hash, child processes, other network events etc.).", 15 | ] 16 | mitre = [ "T1071", "T1071.004"] 17 | query = [''' 18 | from logs-endpoint.events.network-*, logs-windows.sysmon_operational-* 19 | | where host.os.family == "windows" and event.category == "network" and 20 | event.action in ("lookup_requested", "DNSEvent (DNS query)") and 21 | (dns.question.type == "TXT" or dns.answers.type == "TXT") and process.executable != "C:\\Windows\\system32\\svchost.exe" 22 | | keep process.executable, process.entity_id 23 | | stats occurrences = count(*) by process.entity_id, process.executable 24 | /* threshold can be adjusted to your env */ 25 | | where occurrences >= 50 26 | '''] -------------------------------------------------------------------------------- /hunting/windows/queries/windows_command_and_scripting_interpreter_from_unusual_parent.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt looks for unusual Microsoft native processes spawning `cmd.exe`, `powershell.exe` or `conhost.exe` and limited to a unique host. This could be normal rare behavior as well as an interactive shell activity from an injected parent process to execute system commands. 5 | """ 6 | integration = ["endpoint", "windows", "system"] 7 | uuid = "aca4877f-d284-4bdb-8e18-b1414d3a7c20" 8 | name = "Windows Command and Scripting Interpreter from Unusual Parent Process" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Further pivoting can be done via `process.parent.name`.", 13 | "Certain Microsoft binaries like LSASS, winlogon, spoolsv and others should never spawn `cmd.exe`, `powershell.exe` or `conhost.exe`, if so it's highly likely malicious.", 14 | ] 15 | mitre = [ "T1059", "T1059.001", "T1059.003"] 16 | query = [ 17 | ''' 18 | from logs-endpoint.events.process-*, logs-windows.sysmon_operational-*, logs-system.security-* 19 | | where @timestamp > now() - 7 day 20 | | where host.os.family == "windows" and event.category == "process" and event.action in ("start", "Process creation", "created-process") and 21 | to_lower(process.name) in ("cmd.exe", "powershell.exe", "conhost.exe") and 22 | (starts_with(to_lower(process.parent.executable), "c:\\windows\\system32") or starts_with(to_lower(process.parent.executable), "c:\\windows\\syswow64")) 23 | | keep process.name, process.parent.name, host.id 24 | | stats hosts = count_distinct(host.id), cc = count(*) by process.parent.name 25 | | where cc <= 10 and hosts == 1 26 | ''' 27 | ] -------------------------------------------------------------------------------- /hunting/windows/queries/windows_logon_activity_by_source_ip.toml: -------------------------------------------------------------------------------- 1 | [hunt] 2 | author = "Elastic" 3 | description = """ 4 | This hunt returns a summary of network logon activity by `source.ip` using Windows event IDs 4624 and 4625. The higher the number of failures, low success and multiple accounts the more suspicious the behavior is. 5 | """ 6 | integration = ["system"] 7 | uuid = "441fba85-47a9-4f1f-aab4-569bbfdc548b" 8 | name = "Windows Logon Activity by Source IP" 9 | language = ["ES|QL"] 10 | license = "Elastic License v2" 11 | notes = [ 12 | "Pay close attention to IP address sources with a high number of failed connections associated with low success attempts and high number of user accounts.", 13 | ] 14 | mitre = [ "T1110", "T1110.001", "T1110.003"] 15 | query = [ 16 | ''' 17 | from logs-system.security-* 18 | | where @timestamp > now() - 7 day 19 | | where host.os.family == "windows" and 20 | event.category == "authentication" and event.action in ("logon-failed", "logged-in") and winlog.logon.type == "Network" and 21 | source.ip is not null and 22 | /* noisy failure status codes often associated to authentication misconfiguration */ 23 | not (event.action == "logon-failed" and winlog.event_data.Status in ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")) 24 | | eval failed = case(event.action == "logon-failed", source.ip, null), success = case(event.action == "logged-in", source.ip, null) 25 | | stats count_failed = count(failed), count_success = count(success), count_user = count_distinct(winlog.event_data.TargetUserName) by source.ip 26 | /* below threshold should be adjusted to your env logon patterns */ 27 | | where count_failed >= 100 and count_success <= 10 and count_user >= 20 28 | ''' 29 | ] -------------------------------------------------------------------------------- /lib/kibana/kibana/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | 6 | """Wrapper around Kibana APIs for the Security Application.""" 7 | 8 | from .connector import Kibana 9 | from .resources import RuleResource, Signal 10 | 11 | __version__ = '0.4.1' 12 | __all__ = ( 13 | "Kibana", 14 | "RuleResource", 15 | "Signal" 16 | ) 17 | -------------------------------------------------------------------------------- /lib/kibana/pyproject.toml: -------------------------------------------------------------------------------- 1 | [project] 2 | name = "detection-rules-kibana" 3 | version = "0.4.3" 4 | description = "Kibana API utilities for Elastic Detection Rules" 5 | license = {text = "Elastic License v2"} 6 | keywords = ["Elastic", "Kibana", "Detection Rules", "Security", "Elasticsearch"] 7 | classifiers = [ 8 | "Intended Audience :: Developers", 9 | "Programming Language :: Python :: 3", 10 | "Programming Language :: Python :: 3.12", 11 | "Topic :: Security", 12 | "Topic :: Software Development :: Build Tools", 13 | "Topic :: Software Development :: Libraries :: Python Modules", 14 | "Topic :: Software Development", 15 | ] 16 | requires-python = ">=3.12" 17 | dependencies = [ 18 | "requests>=2.25,<3.0", 19 | "elasticsearch~=8.12.1", 20 | ] 21 | 22 | [project.urls] 23 | Homepage = "https://github.com/elastic/detection-rules" 24 | License = "https://github.com/elastic/detection-rules/blob/main/LICENSE.txt" 25 | 26 | [build-system] 27 | requires = ["setuptools", "wheel"] 28 | build-backend = "setuptools.build_meta" 29 | -------------------------------------------------------------------------------- /lib/kql/kql/errors.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | 6 | from eql import EqlError, EqlParseError, EqlCompileError 7 | 8 | 9 | class KqlParseError(EqlParseError): 10 | """EQL Parsing Error.""" 11 | 12 | 13 | class KqlCompileError(EqlCompileError): 14 | """Class for KQL-specific compile errors.""" 15 | 16 | 17 | class KqlRuntimeError(EqlError): 18 | """Error for failures within the KQL evaluator.""" 19 | -------------------------------------------------------------------------------- /lib/kql/kql/kql.g: -------------------------------------------------------------------------------- 1 | ?query: or_query 2 | ?or_query: and_query (OR and_query)* 3 | ?and_query: not_query (AND not_query)* 4 | ?not_query: NOT? sub_query 5 | ?sub_query: "(" or_query ")" 6 | | nested_query 7 | ?nested_query: field ":" "{" or_query "}" 8 | | expression 9 | ?expression: field_range_expression 10 | | field_value_expression 11 | | value_expression 12 | 13 | field_range_expression: field RANGE_OPERATOR literal 14 | field_value_expression: field ":" list_of_values 15 | ?value_expression: value 16 | 17 | ?list_of_values: "(" or_list_of_values ")" 18 | | value 19 | ?or_list_of_values: and_list_of_values (OR and_list_of_values)* 20 | ?and_list_of_values: not_list_of_values (AND not_list_of_values)* 21 | ?not_list_of_values: NOT? list_of_values 22 | 23 | field: literal 24 | 25 | value: QUOTED_STRING 26 | | UNQUOTED_LITERAL 27 | 28 | 29 | literal: QUOTED_STRING 30 | | UNQUOTED_LITERAL 31 | 32 | RANGE_OPERATOR: "<=" 33 | | ">=" 34 | | "<" 35 | | ">" 36 | 37 | UNQUOTED_LITERAL: UNQUOTED_CHAR+ 38 | UNQUOTED_CHAR: "\\" /[trn]/ // escaped whitespace 39 | | "\\" /[\\():<>"*{}]/ // escaped specials 40 | | "\\" (AND | OR | NOT) // escaped keywords 41 | | "*" // wildcard 42 | | /[^\\():<>"*{} \t\r\n]/ // anything else 43 | 44 | QUOTED_STRING: /"(\\[tnr"\\]|[^\r\n"])*"/ 45 | 46 | OR.2: "or" | "OR" 47 | AND.2: "and" | "AND" 48 | NOT.2: "not" | "NOT" 49 | 50 | WHITESPACE: (" " | "\r" | "\n" | "\t" )+ 51 | %ignore WHITESPACE -------------------------------------------------------------------------------- /lib/kql/pyproject.toml: -------------------------------------------------------------------------------- 1 | [project] 2 | name = "detection-rules-kql" 3 | version = "0.1.7" 4 | description = "Kibana Query Language parser for Elastic Detection Rules" 5 | license = {text = "Elastic License v2"} 6 | keywords = ["Elastic", "sour", "Detection Rules", "Security", "Elasticsearch", "kql"] 7 | classifiers = [ 8 | "Intended Audience :: Developers", 9 | "Programming Language :: Python :: 3", 10 | "Programming Language :: Python :: 3.12", 11 | "Topic :: Security", 12 | "Topic :: Software Development :: Build Tools", 13 | "Topic :: Software Development :: Libraries :: Python Modules", 14 | "Topic :: Software Development", 15 | ] 16 | requires-python = ">=3.12" 17 | dependencies = [ 18 | "eql==0.9.19", 19 | "lark-parser>=0.12.0", 20 | ] 21 | 22 | [project.urls] 23 | Homepage = "https://github.com/elastic/detection-rules" 24 | License = "https://github.com/elastic/detection-rules/blob/main/LICENSE.txt" 25 | 26 | [build-system] 27 | requires = ["setuptools", "wheel"] 28 | build-backend = "setuptools.build_meta" 29 | 30 | [tool.setuptools.package-data] 31 | kql = ["*.g"] 32 | -------------------------------------------------------------------------------- /rules/_deprecated/apm_null_user_agent.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | maturity = "deprecated" 4 | min_stack_comments = "New fields added: required_fields, related_integrations, setup" 5 | min_stack_version = "8.3.0" 6 | updated_date = "2022/09/13" 7 | deprecation_date = "2022/09/13" 8 | 9 | [rule] 10 | author = ["Elastic"] 11 | description = "A request to a web application server contained no identifying user agent string." 12 | false_positives = [ 13 | """ 14 | Some normal applications and scripts may contain no user agent. Most legitimate web requests from the Internet 15 | contain a user agent string. Requests from web browsers almost always contain a user agent string. If the source is 16 | unexpected, the user unauthorized, or the request unusual, these may indicate suspicious or malicious activity. 17 | """, 18 | ] 19 | index = ["apm-*-transaction*", "traces-apm*"] 20 | language = "kuery" 21 | license = "Elastic License v2" 22 | name = "Web Application Suspicious Activity: No User Agent" 23 | references = ["https://en.wikipedia.org/wiki/User_agent"] 24 | risk_score = 47 25 | rule_id = "43303fd4-4839-4e48-b2b2-803ab060758d" 26 | severity = "medium" 27 | tags = ["Elastic", "APM"] 28 | timestamp_override = "event.ingested" 29 | type = "query" 30 | 31 | query = ''' 32 | url.path:* 33 | ''' 34 | 35 | 36 | [[rule.filters]] 37 | 38 | [rule.filters."$state"] 39 | store = "appState" 40 | [rule.filters.exists] 41 | field = "user_agent.original" 42 | [rule.filters.meta] 43 | disabled = false 44 | indexRefName = "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index" 45 | key = "user_agent.original" 46 | negate = true 47 | type = "exists" 48 | value = "exists" 49 | 50 | -------------------------------------------------------------------------------- /rules/_deprecated/defense_evasion_attempt_to_disable_iptables_or_firewall.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/04/24" 3 | deprecation_date = "2022/07/25" 4 | maturity = "deprecated" 5 | updated_date = "2022/07/25" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | Adversaries may attempt to disable the iptables or firewall service in an attempt to affect how a host is allowed to 11 | receive or send network traffic. 12 | """ 13 | from = "now-9m" 14 | index = ["auditbeat-*", "logs-endpoint.events.*"] 15 | language = "kuery" 16 | license = "Elastic License v2" 17 | name = "Attempt to Disable IPTables or Firewall" 18 | risk_score = 47 19 | rule_id = "125417b8-d3df-479f-8418-12d7e034fee3" 20 | severity = "medium" 21 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] 22 | timestamp_override = "event.ingested" 23 | type = "query" 24 | 25 | query = ''' 26 | event.category:process and event.type:(start or process_started) and 27 | process.name:ufw and process.args:(allow or disable or reset) or 28 | 29 | (((process.name:service and process.args:stop) or 30 | (process.name:chkconfig and process.args:off) or 31 | (process.name:systemctl and process.args:(disable or stop or kill))) and 32 | process.args:(firewalld or ip6tables or iptables)) 33 | ''' 34 | 35 | 36 | [[rule.threat]] 37 | framework = "MITRE ATT&CK" 38 | [[rule.threat.technique]] 39 | id = "T1562" 40 | name = "Impair Defenses" 41 | reference = "https://attack.mitre.org/techniques/T1562/" 42 | [[rule.threat.technique.subtechnique]] 43 | id = "T1562.001" 44 | name = "Disable or Modify Tools" 45 | reference = "https://attack.mitre.org/techniques/T1562/001/" 46 | 47 | 48 | 49 | [rule.threat.tactic] 50 | id = "TA0005" 51 | name = "Defense Evasion" 52 | reference = "https://attack.mitre.org/tactics/TA0005/" 53 | 54 | -------------------------------------------------------------------------------- /rules/_deprecated/defense_evasion_base64_encoding_or_decoding_activity.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/04/17" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls." 10 | false_positives = [ 11 | """ 12 | Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be 13 | filtered by the process executable or username values. 14 | """, 15 | ] 16 | from = "now-9m" 17 | index = ["auditbeat-*", "logs-endpoint.events.*"] 18 | language = "kuery" 19 | license = "Elastic License v2" 20 | name = "Base64 Encoding/Decoding Activity" 21 | risk_score = 21 22 | rule_id = "97f22dab-84e8-409d-955e-dacd1d31670b" 23 | severity = "low" 24 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] 25 | timestamp_override = "event.ingested" 26 | type = "query" 27 | 28 | query = ''' 29 | event.category:process and event.type:(start or process_started) and 30 | process.name:(base64 or base64plain or base64url or base64mime or base64pem) 31 | ''' 32 | 33 | 34 | [[rule.threat]] 35 | framework = "MITRE ATT&CK" 36 | [[rule.threat.technique]] 37 | id = "T1140" 38 | name = "Deobfuscate/Decode Files or Information" 39 | reference = "https://attack.mitre.org/techniques/T1140/" 40 | 41 | [[rule.threat.technique]] 42 | id = "T1027" 43 | name = "Obfuscated Files or Information" 44 | reference = "https://attack.mitre.org/techniques/T1027/" 45 | 46 | 47 | [rule.threat.tactic] 48 | id = "TA0005" 49 | name = "Defense Evasion" 50 | reference = "https://attack.mitre.org/tactics/TA0005/" 51 | 52 | -------------------------------------------------------------------------------- /rules/_deprecated/defense_evasion_execution_via_trusted_developer_utilities.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Identifies possibly suspicious activity using trusted Windows developer activity." 10 | false_positives = ["These programs may be used by Windows developers but use by non-engineers is unusual."] 11 | from = "now-9m" 12 | index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] 13 | language = "kuery" 14 | license = "Elastic License v2" 15 | name = "Trusted Developer Application Usage" 16 | risk_score = 21 17 | rule_id = "9d110cb3-5f4b-4c9a-b9f5-53f0a1707ae1" 18 | severity = "low" 19 | tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] 20 | timestamp_override = "event.ingested" 21 | type = "query" 22 | 23 | query = ''' 24 | event.category:process and event.type:(start or process_started) and process.name:(MSBuild.exe or msxsl.exe) 25 | ''' 26 | 27 | 28 | [[rule.threat]] 29 | framework = "MITRE ATT&CK" 30 | [[rule.threat.technique]] 31 | id = "T1127" 32 | name = "Trusted Developer Utilities Proxy Execution" 33 | reference = "https://attack.mitre.org/techniques/T1127/" 34 | 35 | 36 | [rule.threat.tactic] 37 | id = "TA0005" 38 | name = "Defense Evasion" 39 | reference = "https://attack.mitre.org/tactics/TA0005/" 40 | [[rule.threat]] 41 | framework = "MITRE ATT&CK" 42 | 43 | [rule.threat.tactic] 44 | id = "TA0002" 45 | name = "Execution" 46 | reference = "https://attack.mitre.org/tactics/TA0002/" 47 | 48 | -------------------------------------------------------------------------------- /rules/_deprecated/defense_evasion_hex_encoding_or_decoding_activity.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/04/17" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Adversaries may encode/decode data in an attempt to evade detection by host- or network-based security controls." 10 | false_positives = [ 11 | """ 12 | Automated tools such as Jenkins may encode or decode files as part of their normal behavior. These events can be 13 | filtered by the process executable or username values. 14 | """, 15 | ] 16 | from = "now-9m" 17 | index = ["auditbeat-*", "logs-endpoint.events.*"] 18 | language = "kuery" 19 | license = "Elastic License v2" 20 | name = "Hex Encoding/Decoding Activity" 21 | risk_score = 21 22 | rule_id = "a9198571-b135-4a76-b055-e3e5a476fd83" 23 | severity = "low" 24 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"] 25 | timestamp_override = "event.ingested" 26 | type = "query" 27 | 28 | query = ''' 29 | event.category:process and event.type:(start or process_started) and process.name:(hexdump or od or xxd) 30 | ''' 31 | 32 | 33 | [[rule.threat]] 34 | framework = "MITRE ATT&CK" 35 | [[rule.threat.technique]] 36 | id = "T1140" 37 | name = "Deobfuscate/Decode Files or Information" 38 | reference = "https://attack.mitre.org/techniques/T1140/" 39 | 40 | [[rule.threat.technique]] 41 | id = "T1027" 42 | name = "Obfuscated Files or Information" 43 | reference = "https://attack.mitre.org/techniques/T1027/" 44 | 45 | 46 | [rule.threat.tactic] 47 | id = "TA0005" 48 | name = "Defense Evasion" 49 | reference = "https://attack.mitre.org/tactics/TA0005/" 50 | 51 | -------------------------------------------------------------------------------- /rules/_deprecated/defense_evasion_mshta_making_network_connections.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2020/10/30" 4 | maturity = "deprecated" 5 | updated_date = "2020/10/30" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | Identifies mshta.exe making a network connection. This may indicate adversarial activity, as mshta.exe is often 11 | leveraged by adversaries to execute malicious scripts and evade detection. 12 | """ 13 | from = "now-9m" 14 | index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] 15 | language = "eql" 16 | license = "Elastic License v2" 17 | name = "Network Connection via Mshta" 18 | references = ["https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html"] 19 | risk_score = 47 20 | rule_id = "a4ec1382-4557-452b-89ba-e413b22ed4b8" 21 | severity = "medium" 22 | tags = ["Elastic", "Host", "Windows", "Threat Detection", "Defense Evasion"] 23 | type = "eql" 24 | 25 | query = ''' 26 | /* duplicate of Mshta Making Network Connections - c2d90150-0133-451c-a783-533e736c12d7 */ 27 | 28 | sequence by process.entity_id 29 | [process where process.name : "mshta.exe" and event.type == "start"] 30 | [network where process.name : "mshta.exe"] 31 | ''' 32 | 33 | 34 | [[rule.threat]] 35 | framework = "MITRE ATT&CK" 36 | [[rule.threat.technique]] 37 | id = "T1218" 38 | name = "Signed Binary Proxy Execution" 39 | reference = "https://attack.mitre.org/techniques/T1218/" 40 | [[rule.threat.technique.subtechnique]] 41 | id = "T1218.005" 42 | name = "Mshta" 43 | reference = "https://attack.mitre.org/techniques/T1218/005/" 44 | 45 | 46 | 47 | [rule.threat.tactic] 48 | id = "TA0005" 49 | name = "Defense Evasion" 50 | reference = "https://attack.mitre.org/tactics/TA0005/" 51 | 52 | -------------------------------------------------------------------------------- /rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Adversaries may attempt to get information about running processes on a system." 10 | false_positives = [ 11 | """ 12 | Administrators may use the tasklist command to display a list of currently running processes. By itself, it does not 13 | indicate malicious activity. After obtaining a foothold, it's possible adversaries may use discovery commands like 14 | tasklist to get information about running processes. 15 | """, 16 | ] 17 | from = "now-9m" 18 | index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] 19 | language = "kuery" 20 | license = "Elastic License v2" 21 | name = "Process Discovery via Tasklist" 22 | risk_score = 21 23 | rule_id = "cc16f774-59f9-462d-8b98-d27ccd4519ec" 24 | severity = "low" 25 | tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] 26 | timestamp_override = "event.ingested" 27 | type = "query" 28 | 29 | query = ''' 30 | event.category:process and event.type:(start or process_started) and process.name:tasklist.exe 31 | ''' 32 | 33 | 34 | [[rule.threat]] 35 | framework = "MITRE ATT&CK" 36 | [[rule.threat.technique]] 37 | id = "T1057" 38 | name = "Process Discovery" 39 | reference = "https://attack.mitre.org/techniques/T1057/" 40 | 41 | 42 | [rule.threat.tactic] 43 | id = "TA0007" 44 | name = "Discovery" 45 | reference = "https://attack.mitre.org/tactics/TA0007/" 46 | -------------------------------------------------------------------------------- /rules/_deprecated/discovery_query_registry_via_reg.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/12/04" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | Enumeration or discovery of the Windows registry using reg.exe. This information can be used to perform follow-on 11 | activities. 12 | """ 13 | from = "now-9m" 14 | index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*"] 15 | language = "eql" 16 | license = "Elastic License v2" 17 | name = "Query Registry via reg.exe" 18 | risk_score = 21 19 | rule_id = "68113fdc-3105-4cdd-85bb-e643c416ef0b" 20 | severity = "low" 21 | tags = ["Elastic", "Host", "Windows", "Threat Detection", "Discovery"] 22 | timestamp_override = "event.ingested" 23 | type = "eql" 24 | 25 | query = ''' 26 | process where event.type in ("start", "process_started") and 27 | (process.name : "reg.exe" or process.pe.original_file_name == "reg.exe") and 28 | process.args == "query" 29 | ''' 30 | 31 | 32 | [[rule.threat]] 33 | framework = "MITRE ATT&CK" 34 | [[rule.threat.technique]] 35 | id = "T1012" 36 | name = "Query Registry" 37 | reference = "https://attack.mitre.org/techniques/T1012/" 38 | 39 | 40 | [rule.threat.tactic] 41 | id = "TA0007" 42 | name = "Discovery" 43 | reference = "https://attack.mitre.org/tactics/TA0007/" 44 | 45 | -------------------------------------------------------------------------------- /rules/_deprecated/discovery_whoami_commmand.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | The whoami application was executed on a Linux host. This is often used by tools and persistence mechanisms to test for 11 | privileged access. 12 | """ 13 | false_positives = [ 14 | """ 15 | Security testing tools and frameworks may run this command. Some normal use of this command may originate from 16 | automation tools and frameworks. 17 | """, 18 | ] 19 | from = "now-9m" 20 | index = ["auditbeat-*", "logs-endpoint.events.*"] 21 | language = "kuery" 22 | license = "Elastic License v2" 23 | name = "User Discovery via Whoami" 24 | risk_score = 21 25 | rule_id = "120559c6-5e24-49f4-9e30-8ffe697df6b9" 26 | severity = "low" 27 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"] 28 | timestamp_override = "event.ingested" 29 | type = "query" 30 | 31 | query = ''' 32 | event.category:process and event.type:(start or process_started) and process.name:whoami 33 | ''' 34 | 35 | 36 | [[rule.threat]] 37 | framework = "MITRE ATT&CK" 38 | [[rule.threat.technique]] 39 | id = "T1033" 40 | name = "System Owner/User Discovery" 41 | reference = "https://attack.mitre.org/techniques/T1033/" 42 | 43 | 44 | [rule.threat.tactic] 45 | id = "TA0007" 46 | name = "Discovery" 47 | reference = "https://attack.mitre.org/tactics/TA0007/" 48 | 49 | -------------------------------------------------------------------------------- /rules/_deprecated/execution_command_shell_started_by_powershell.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Identifies a suspicious parent child process relationship with cmd.exe descending from PowerShell.exe." 10 | from = "now-9m" 11 | index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] 12 | language = "kuery" 13 | license = "Elastic License v2" 14 | name = "PowerShell spawning Cmd" 15 | risk_score = 21 16 | rule_id = "0f616aee-8161-4120-857e-742366f5eeb3" 17 | severity = "low" 18 | tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] 19 | timestamp_override = "event.ingested" 20 | type = "query" 21 | 22 | query = ''' 23 | event.category:process and event.type:(start or process_started) and 24 | process.parent.name:powershell.exe and process.name:cmd.exe 25 | ''' 26 | 27 | 28 | [[rule.threat]] 29 | framework = "MITRE ATT&CK" 30 | [[rule.threat.technique]] 31 | id = "T1059" 32 | name = "Command and Scripting Interpreter" 33 | reference = "https://attack.mitre.org/techniques/T1059/" 34 | [[rule.threat.technique.subtechnique]] 35 | id = "T1059.001" 36 | name = "PowerShell" 37 | reference = "https://attack.mitre.org/techniques/T1059/001/" 38 | 39 | 40 | 41 | [rule.threat.tactic] 42 | id = "TA0002" 43 | name = "Execution" 44 | reference = "https://attack.mitre.org/tactics/TA0002/" 45 | 46 | -------------------------------------------------------------------------------- /rules/_deprecated/execution_linux_process_started_in_temp_directory.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2022/07/25" 4 | maturity = "deprecated" 5 | updated_date = "2022/07/25" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Identifies processes running in a temporary folder. This is sometimes done by adversaries to hide malware." 10 | false_positives = [ 11 | """ 12 | Build systems, like Jenkins, may start processes in the `/tmp` directory. These can be exempted by name or by 13 | username. 14 | """, 15 | ] 16 | from = "now-9m" 17 | index = ["auditbeat-*", "logs-endpoint.events.*"] 18 | language = "kuery" 19 | license = "Elastic License v2" 20 | name = "Unusual Process Execution - Temp" 21 | risk_score = 47 22 | rule_id = "df959768-b0c9-4d45-988c-5606a2be8e5a" 23 | severity = "medium" 24 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Execution"] 25 | timestamp_override = "event.ingested" 26 | type = "query" 27 | 28 | query = ''' 29 | event.category:process and event.type:(start or process_started) and process.working_directory:/tmp and 30 | not process.parent.name:(update-motd-updates-available or 31 | apt or apt-* or 32 | cnf-update-db or 33 | appstreamcli or 34 | unattended-upgrade or 35 | packagekitd) and 36 | not process.args:(/usr/lib/update-notifier/update-motd-updates-available or 37 | /var/lib/command-not-found/) 38 | ''' 39 | 40 | 41 | [[rule.threat]] 42 | framework = "MITRE ATT&CK" 43 | 44 | [rule.threat.tactic] 45 | id = "TA0002" 46 | name = "Execution" 47 | reference = "https://attack.mitre.org/tactics/TA0002/" 48 | 49 | -------------------------------------------------------------------------------- /rules/_deprecated/execution_via_net_com_assemblies.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/03/25" 3 | deprecation_date = "2021/03/17" 4 | maturity = "deprecated" 5 | updated_date = "2021/03/17" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | RegSvcs.exe and RegAsm.exe are Windows command line utilities that are used to register .NET Component Object Model 11 | (COM) assemblies. Adversaries can use RegSvcs.exe and RegAsm.exe to proxy execution of code through a trusted Windows 12 | utility. 13 | """ 14 | from = "now-9m" 15 | index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] 16 | language = "kuery" 17 | license = "Elastic License v2" 18 | name = "Execution via Regsvcs/Regasm" 19 | risk_score = 21 20 | rule_id = "47f09343-8d1f-4bb5-8bb0-00c9d18f5010" 21 | severity = "low" 22 | tags = ["Elastic", "Host", "Windows", "Threat Detection", "Execution"] 23 | timestamp_override = "event.ingested" 24 | type = "query" 25 | 26 | query = ''' 27 | event.category:process and event.type:(start or process_started) and process.name:(RegAsm.exe or RegSvcs.exe) 28 | ''' 29 | 30 | 31 | [[rule.threat]] 32 | framework = "MITRE ATT&CK" 33 | 34 | [rule.threat.tactic] 35 | id = "TA0002" 36 | name = "Execution" 37 | reference = "https://attack.mitre.org/tactics/TA0002/" 38 | [[rule.threat]] 39 | framework = "MITRE ATT&CK" 40 | [[rule.threat.technique]] 41 | id = "T1218" 42 | name = "Signed Binary Proxy Execution" 43 | reference = "https://attack.mitre.org/techniques/T1218/" 44 | [[rule.threat.technique.subtechnique]] 45 | id = "T1218.009" 46 | name = "Regsvcs/Regasm" 47 | reference = "https://attack.mitre.org/techniques/T1218/009/" 48 | 49 | 50 | 51 | [rule.threat.tactic] 52 | id = "TA0005" 53 | name = "Defense Evasion" 54 | reference = "https://attack.mitre.org/tactics/TA0005/" 55 | 56 | -------------------------------------------------------------------------------- /rules/_deprecated/exfiltration_rds_snapshot_export.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2021/06/06" 3 | deprecation_date = "2021/08/02" 4 | integration = "aws" 5 | maturity = "deprecated" 6 | updated_date = "2021/08/02" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | description = "Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot." 11 | false_positives = [ 12 | """ 13 | Exporting snapshots may be done by a system or network administrator. Verify whether the user identity, user agent, 14 | and/or hostname should be making changes in your environment. Snapshot exports from unfamiliar users or hosts should 15 | be investigated. If known behavior is causing false positives, it can be exempted from the rule. 16 | """, 17 | ] 18 | from = "now-60m" 19 | index = ["filebeat-*", "logs-aws*"] 20 | interval = "10m" 21 | language = "kuery" 22 | license = "Elastic License v2" 23 | name = "AWS RDS Snapshot Export" 24 | note = """## Config 25 | 26 | The AWS Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" 27 | references = ["https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_StartExportTask.html"] 28 | risk_score = 21 29 | rule_id = "119c8877-8613-416d-a98a-96b6664ee73a5" 30 | severity = "low" 31 | tags = ["Elastic", "Cloud", "AWS", "Continuous Monitoring", "SecOps", "Asset Visibility"] 32 | timestamp_override = "event.ingested" 33 | type = "query" 34 | 35 | query = ''' 36 | event.dataset:aws.cloudtrail and event.provider:rds.amazonaws.com and event.action:StartExportTask and event.outcome:success 37 | ''' 38 | 39 | 40 | [[rule.threat]] 41 | framework = "MITRE ATT&CK" 42 | 43 | [rule.threat.tactic] 44 | name = "Exfiltration" 45 | id = "TA0010" 46 | reference = "https://attack.mitre.org/tactics/TA0010/" 47 | 48 | -------------------------------------------------------------------------------- /rules/_deprecated/initial_access_login_failures.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/07/08" 3 | deprecation_date = "2022/07/25" 4 | maturity = "deprecated" 5 | updated_date = "2022/07/25" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Identifies that the maximum number of failed login attempts has been reached for a user." 10 | index = ["auditbeat-*"] 11 | language = "kuery" 12 | license = "Elastic License v2" 13 | name = "Auditd Max Failed Login Attempts" 14 | references = [ 15 | "https://github.com/linux-pam/linux-pam/blob/0adbaeb273da1d45213134aa271e95987103281c/modules/pam_faillock/pam_faillock.c#L574", 16 | ] 17 | risk_score = 47 18 | rule_id = "fb9937ce-7e21-46bf-831d-1ad96eac674d" 19 | severity = "medium" 20 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] 21 | timestamp_override = "event.ingested" 22 | type = "query" 23 | 24 | query = ''' 25 | event.module:auditd and event.action:"failed-log-in-too-many-times-to" 26 | ''' 27 | 28 | 29 | [[rule.threat]] 30 | framework = "MITRE ATT&CK" 31 | [[rule.threat.technique]] 32 | id = "T1078" 33 | name = "Valid Accounts" 34 | reference = "https://attack.mitre.org/techniques/T1078/" 35 | 36 | 37 | [rule.threat.tactic] 38 | id = "TA0001" 39 | name = "Initial Access" 40 | reference = "https://attack.mitre.org/tactics/TA0001/" 41 | [[rule.threat]] 42 | framework = "MITRE ATT&CK" 43 | [[rule.threat.technique]] 44 | id = "T1078" 45 | name = "Valid Accounts" 46 | reference = "https://attack.mitre.org/techniques/T1078/" 47 | 48 | 49 | [rule.threat.tactic] 50 | id = "TA0003" 51 | name = "Persistence" 52 | reference = "https://attack.mitre.org/tactics/TA0003/" 53 | 54 | -------------------------------------------------------------------------------- /rules/_deprecated/initial_access_login_location.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/07/08" 3 | deprecation_date = "2022/07/25" 4 | maturity = "deprecated" 5 | updated_date = "2022/07/25" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Identifies that a login attempt has happened from a forbidden location." 10 | index = ["auditbeat-*"] 11 | language = "kuery" 12 | license = "Elastic License v2" 13 | name = "Auditd Login from Forbidden Location" 14 | references = [ 15 | "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_access/pam_access.c#L412", 16 | ] 17 | risk_score = 73 18 | rule_id = "cab4f01c-793f-4a54-a03e-e5d85b96d7af" 19 | severity = "high" 20 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] 21 | timestamp_override = "event.ingested" 22 | type = "query" 23 | 24 | query = ''' 25 | event.module:auditd and event.action:"attempted-log-in-from-unusual-place-to" 26 | ''' 27 | 28 | 29 | [[rule.threat]] 30 | framework = "MITRE ATT&CK" 31 | [[rule.threat.technique]] 32 | id = "T1078" 33 | name = "Valid Accounts" 34 | reference = "https://attack.mitre.org/techniques/T1078/" 35 | 36 | 37 | [rule.threat.tactic] 38 | id = "TA0001" 39 | name = "Initial Access" 40 | reference = "https://attack.mitre.org/tactics/TA0001/" 41 | [[rule.threat]] 42 | framework = "MITRE ATT&CK" 43 | [[rule.threat.technique]] 44 | id = "T1078" 45 | name = "Valid Accounts" 46 | reference = "https://attack.mitre.org/techniques/T1078/" 47 | 48 | 49 | [rule.threat.tactic] 50 | id = "TA0003" 51 | name = "Persistence" 52 | reference = "https://attack.mitre.org/tactics/TA0003/" 53 | 54 | -------------------------------------------------------------------------------- /rules/_deprecated/initial_access_login_sessions.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/07/08" 3 | deprecation_date = "2022/07/25" 4 | maturity = "deprecated" 5 | updated_date = "2022/07/25" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Identifies that the maximum number login sessions has been reached for a user." 10 | index = ["auditbeat-*"] 11 | language = "kuery" 12 | license = "Elastic License v2" 13 | name = "Auditd Max Login Sessions" 14 | references = [ 15 | "https://github.com/linux-pam/linux-pam/blob/70c32cc6fca51338f92afa58eb75b1107a5c2430/modules/pam_limits/pam_limits.c#L1007", 16 | ] 17 | risk_score = 47 18 | rule_id = "20dc4620-3b68-4269-8124-ca5091e00ea8" 19 | severity = "medium" 20 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] 21 | timestamp_override = "event.ingested" 22 | type = "query" 23 | 24 | query = ''' 25 | event.module:auditd and event.action:"opened-too-many-sessions-to" 26 | ''' 27 | 28 | 29 | [[rule.threat]] 30 | framework = "MITRE ATT&CK" 31 | [[rule.threat.technique]] 32 | id = "T1078" 33 | name = "Valid Accounts" 34 | reference = "https://attack.mitre.org/techniques/T1078/" 35 | 36 | 37 | [rule.threat.tactic] 38 | id = "TA0001" 39 | name = "Initial Access" 40 | reference = "https://attack.mitre.org/tactics/TA0001/" 41 | [[rule.threat]] 42 | framework = "MITRE ATT&CK" 43 | [[rule.threat.technique]] 44 | id = "T1078" 45 | name = "Valid Accounts" 46 | reference = "https://attack.mitre.org/techniques/T1078/" 47 | 48 | 49 | [rule.threat.tactic] 50 | id = "TA0003" 51 | name = "Persistence" 52 | reference = "https://attack.mitre.org/tactics/TA0003/" 53 | 54 | -------------------------------------------------------------------------------- /rules/_deprecated/initial_access_login_time.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/07/08" 3 | deprecation_date = "2022/07/25" 4 | maturity = "deprecated" 5 | updated_date = "2022/07/25" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = "Identifies that a login attempt occurred at a forbidden time." 10 | index = ["auditbeat-*"] 11 | language = "kuery" 12 | license = "Elastic License v2" 13 | name = "Auditd Login Attempt at Forbidden Time" 14 | references = [ 15 | "https://github.com/linux-pam/linux-pam/blob/aac5a8fdc4aa3f7e56335a6343774cc1b63b408d/modules/pam_time/pam_time.c#L666", 16 | ] 17 | risk_score = 47 18 | rule_id = "90e28af7-1d96-4582-bf11-9a1eff21d0e5" 19 | severity = "medium" 20 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Initial Access"] 21 | timestamp_override = "event.ingested" 22 | type = "query" 23 | 24 | query = ''' 25 | event.module:auditd and event.action:"attempted-log-in-during-unusual-hour-to" 26 | ''' 27 | 28 | 29 | [[rule.threat]] 30 | framework = "MITRE ATT&CK" 31 | [[rule.threat.technique]] 32 | id = "T1078" 33 | name = "Valid Accounts" 34 | reference = "https://attack.mitre.org/techniques/T1078/" 35 | 36 | 37 | [rule.threat.tactic] 38 | id = "TA0001" 39 | name = "Initial Access" 40 | reference = "https://attack.mitre.org/tactics/TA0001/" 41 | [[rule.threat]] 42 | framework = "MITRE ATT&CK" 43 | [[rule.threat.technique]] 44 | id = "T1078" 45 | name = "Valid Accounts" 46 | reference = "https://attack.mitre.org/techniques/T1078/" 47 | 48 | 49 | [rule.threat.tactic] 50 | id = "TA0003" 51 | name = "Persistence" 52 | reference = "https://attack.mitre.org/tactics/TA0003/" 53 | 54 | -------------------------------------------------------------------------------- /rules/_deprecated/lateral_movement_malicious_remote_file_creation.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2023/10/12" 3 | deprecation_date = "2023/12/14" 4 | integration = ["endpoint"] 5 | maturity = "deprecated" 6 | min_stack_comments = "Avoiding rule duplication for <= 8.8 stack versions" 7 | min_stack_version = "8.9.0" 8 | updated_date = "2023/12/14" 9 | 10 | [rule] 11 | author = ["Elastic"] 12 | description = "Malicious remote file creation, which can be an indicator of lateral movement activity." 13 | from = "now-10m" 14 | index = ["logs-endpoint.events.*"] 15 | interval = "5m" 16 | language = "eql" 17 | license = "Elastic License v2" 18 | name = "Malicious Remote File Creation" 19 | references = ["https://www.elastic.co/es/blog/remote-desktop-protocol-connections-elastic-security"] 20 | risk_score = 99 21 | rule_id = "301571f3-b316-4969-8dd0-7917410030d3" 22 | severity = "critical" 23 | tags = ["Domain: Endpoint", "Use Case: Lateral Movement Detection", "Tactic: Lateral Movement", "Data Source: Elastic Defend"] 24 | type = "eql" 25 | 26 | query = ''' 27 | sequence by host.name 28 | [file where event.action == "creation" and process.name : ("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")] 29 | [file where event.category == "malware" or event.category == "intrusion_detection" 30 | and process.name:("System", "scp", "sshd", "smbd", "vsftpd", "sftp-server")] 31 | ''' 32 | 33 | 34 | [[rule.threat]] 35 | framework = "MITRE ATT&CK" 36 | [[rule.threat.technique]] 37 | id = "T1210" 38 | name = "Exploitation of Remote Services" 39 | reference = "https://attack.mitre.org/techniques/T1210/" 40 | 41 | 42 | [rule.threat.tactic] 43 | id = "TA0008" 44 | name = "Lateral Movement" 45 | reference = "https://attack.mitre.org/tactics/TA0008/" 46 | 47 | -------------------------------------------------------------------------------- /rules/_deprecated/linux_mknod_activity.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | The Linux mknod program is sometimes used in the command payload of a remote command injection (RCI) and other exploits. 11 | It is used to export a command shell when the traditional version of netcat is not available to the payload. 12 | """ 13 | false_positives = [ 14 | """ 15 | Mknod is a Linux system program. Some normal use of this program, at varying levels of frequency, may originate from 16 | scripts, automation tools, and frameworks. Usage by web servers is more likely to be suspicious. 17 | """, 18 | ] 19 | from = "now-9m" 20 | index = ["auditbeat-*", "logs-endpoint.events.*"] 21 | language = "kuery" 22 | license = "Elastic License v2" 23 | name = "Mknod Process Activity" 24 | references = [ 25 | "https://web.archive.org/web/20191218024607/https://pen-testing.sans.org/blog/2013/05/06/netcat-without-e-no-problem/", 26 | ] 27 | risk_score = 21 28 | rule_id = "61c31c14-507f-4627-8c31-072556b89a9c" 29 | severity = "low" 30 | tags = ["Elastic", "Host", "Linux", "Threat Detection"] 31 | timestamp_override = "event.ingested" 32 | type = "query" 33 | 34 | query = ''' 35 | event.category:process and event.type:(start or process_started) and process.name:mknod 36 | ''' 37 | 38 | -------------------------------------------------------------------------------- /rules/_deprecated/linux_nmap_activity.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | Nmap was executed on a Linux host. Nmap is a FOSS tool for network scanning and security testing. It can map and 11 | discover networks, and identify listening services and operating systems. It is sometimes used to gather information in 12 | support of exploitation, execution or lateral movement. 13 | """ 14 | false_positives = [ 15 | """ 16 | Security testing tools and frameworks may run `Nmap` in the course of security auditing. Some normal use of this 17 | command may originate from security engineers and network or server administrators. Use of nmap by ordinary users is 18 | uncommon. 19 | """, 20 | ] 21 | from = "now-9m" 22 | index = ["auditbeat-*", "logs-endpoint.events.*"] 23 | language = "kuery" 24 | license = "Elastic License v2" 25 | name = "Nmap Process Activity" 26 | references = ["https://en.wikipedia.org/wiki/Nmap"] 27 | risk_score = 21 28 | rule_id = "c87fca17-b3a9-4e83-b545-f30746c53920" 29 | severity = "low" 30 | tags = ["Elastic", "Host", "Linux", "Threat Detection"] 31 | timestamp_override = "event.ingested" 32 | type = "query" 33 | 34 | query = ''' 35 | event.category:process and event.type:(start or process_started) and process.name:nmap 36 | ''' 37 | 38 | -------------------------------------------------------------------------------- /rules/_deprecated/linux_socat_activity.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2021/04/15" 4 | maturity = "deprecated" 5 | updated_date = "2021/04/15" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | A Socat process is running on a Linux host. Socat is often used as a persistence mechanism by exporting a reverse shell, 11 | or by serving a shell on a listening port. Socat is also sometimes used for lateral movement. 12 | """ 13 | false_positives = [ 14 | """ 15 | Socat is a dual-use tool that can be used for benign or malicious activity. Some normal use of this program, at 16 | varying levels of frequency, may originate from scripts, automation tools, and frameworks. Usage by web servers is 17 | more likely to be suspicious. 18 | """, 19 | ] 20 | from = "now-9m" 21 | index = ["auditbeat-*", "logs-endpoint.events.*"] 22 | language = "kuery" 23 | license = "Elastic License v2" 24 | name = "Socat Process Activity" 25 | references = ["https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/#method-2-using-socat"] 26 | risk_score = 47 27 | rule_id = "cd4d5754-07e1-41d4-b9a5-ef4ea6a0a126" 28 | severity = "medium" 29 | tags = ["Elastic", "Host", "Linux", "Threat Detection"] 30 | timestamp_override = "event.ingested" 31 | type = "query" 32 | 33 | query = ''' 34 | event.category:process and event.type:(start or process_started) and process.name:socat and not process.args:-V 35 | ''' 36 | 37 | -------------------------------------------------------------------------------- /rules/_deprecated/privilege_escalation_linux_strace_activity.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2020/02/18" 3 | deprecation_date = "2022/07/28" 4 | maturity = "deprecated" 5 | updated_date = "2022/07/28" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | Strace is a useful diagnostic, instructional, and debugging tool. This rule identifies a privileged context execution of 11 | strace which can be used to escape restrictive environments by instantiating a shell in order to elevate privileges or 12 | move laterally. 13 | """ 14 | false_positives = [ 15 | """ 16 | Strace is a dual-use tool that can be used for benign or malicious activity. Some normal use of this command may 17 | originate from developers or SREs engaged in debugging or system call tracing. 18 | """, 19 | ] 20 | from = "now-9m" 21 | index = ["auditbeat-*", "logs-endpoint.events.*"] 22 | language = "kuery" 23 | license = "Elastic License v2" 24 | name = "Strace Process Activity" 25 | references = ["https://en.wikipedia.org/wiki/Strace"] 26 | risk_score = 21 27 | rule_id = "d6450d4e-81c6-46a3-bd94-079886318ed5" 28 | severity = "low" 29 | tags = ["Elastic", "Host", "Linux", "Threat Detection", "Privilege Escalation"] 30 | timestamp_override = "event.ingested" 31 | type = "query" 32 | 33 | query = ''' 34 | event.category:process and event.type:(start or process_started) and process.name:strace 35 | ''' 36 | 37 | 38 | [[rule.threat]] 39 | framework = "MITRE ATT&CK" 40 | [[rule.threat.technique]] 41 | id = "T1068" 42 | name = "Exploitation for Privilege Escalation" 43 | reference = "https://attack.mitre.org/techniques/T1068/" 44 | 45 | 46 | [rule.threat.tactic] 47 | id = "TA0004" 48 | name = "Privilege Escalation" 49 | reference = "https://attack.mitre.org/tactics/TA0004/" 50 | 51 | -------------------------------------------------------------------------------- /rules/integrations/aws/NOTICE.txt: -------------------------------------------------------------------------------- 1 | This product bundles rules based on https://github.com/FSecureLABS/leonidas 2 | which is available under a "MIT" license. The rules based on this license are: 3 | 4 | - "AWS Access Secret in Secrets Manager" (a00681e3-9ed6-447c-ab2c-be648821c622) 5 | 6 | MIT License 7 | 8 | Copyright (c) 2020 F-Secure LABS 9 | 10 | Permission is hereby granted, free of charge, to any person obtaining a copy 11 | of this software and associated documentation files (the "Software"), to deal 12 | in the Software without restriction, including without limitation the rights 13 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 14 | copies of the Software, and to permit persons to whom the Software is 15 | furnished to do so, subject to the following conditions: 16 | 17 | The above copyright notice and this permission notice shall be included in all 18 | copies or substantial portions of the Software. 19 | 20 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 21 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 22 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 23 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 24 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 25 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 26 | SOFTWARE. 27 | -------------------------------------------------------------------------------- /rules/linux/privilege_escalation_docker_release_file_creation.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2025/04/25" 3 | integration = ["endpoint"] 4 | maturity = "production" 5 | updated_date = "2025/04/25" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | description = """ 10 | This rule detects the creation of files named release_agent or notify_on_release, which are 11 | commonly associated with the abuse of Linux cgroup release mechanisms. In Docker or containerized 12 | environments, this behavior may indicate an attempt to exploit privilege escalation vulnerabilities 13 | such as CVE-2022-0492, where attackers use the release_agent feature to execute code on the host 14 | from within a container. 15 | """ 16 | from = "now-9m" 17 | index = ["logs-endpoint.events.file*"] 18 | language = "eql" 19 | license = "Elastic License v2" 20 | name = "Docker Release File Creation" 21 | references = ["https://sysdig.com/blog/detecting-mitigating-cve-2022-0492-sysdig/"] 22 | risk_score = 21 23 | rule_id = "4d4cda2b-9aad-4702-a0a2-75952bd6a77c" 24 | severity = "low" 25 | tags = [ 26 | "Domain: Endpoint", 27 | "Domain: Container", 28 | "OS: Linux", 29 | "Use Case: Threat Detection", 30 | "Tactic: Privilege Escalation", 31 | "Data Source: Elastic Defend", 32 | ] 33 | timestamp_override = "event.ingested" 34 | type = "eql" 35 | query = ''' 36 | file where host.os.type == "linux" and event.type == "creation" and file.name in ("release_agent", "notify_on_release") 37 | ''' 38 | 39 | [[rule.threat]] 40 | framework = "MITRE ATT&CK" 41 | 42 | [[rule.threat.technique]] 43 | id = "T1611" 44 | name = "Escape to Host" 45 | reference = "https://attack.mitre.org/techniques/T1611/" 46 | 47 | [rule.threat.tactic] 48 | id = "TA0004" 49 | name = "Privilege Escalation" 50 | reference = "https://attack.mitre.org/tactics/TA0004/" 51 | -------------------------------------------------------------------------------- /rules_building_block/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/elastic/detection-rules/11468edab646fc583f747680d559251e9291e435/rules_building_block/.gitkeep -------------------------------------------------------------------------------- /rules_building_block/defense_evasion_indirect_command_exec_pcalua_forfiles.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2023/08/24" 3 | integration = ["endpoint", "windows", "system"] 4 | maturity = "production" 5 | updated_date = "2025/03/20" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | building_block_type = "default" 10 | description = "Identifies indirect command execution via Program Compatibility Assistant (pcalua.exe) or forfiles.exe.\n" 11 | from = "now-119m" 12 | index = [ 13 | "endgame-*", 14 | "logs-endpoint.events.process-*", 15 | "logs-system.security*", 16 | "logs-windows.*", 17 | "winlogbeat-*", 18 | ] 19 | interval = "60m" 20 | language = "eql" 21 | license = "Elastic License v2" 22 | name = "Indirect Command Execution via Forfiles/Pcalua" 23 | risk_score = 21 24 | rule_id = "98843d35-645e-4e66-9d6a-5049acd96ce1" 25 | severity = "low" 26 | tags = [ 27 | "Domain: Endpoint", 28 | "OS: Windows", 29 | "Use Case: Threat Detection", 30 | "Tactic: Defense Evasion", 31 | "Data Source: Elastic Defend", 32 | "Rule Type: BBR", 33 | "Data Source: Elastic Endgame", 34 | "Data Source: Windows Security Event Logs", 35 | ] 36 | timestamp_override = "event.ingested" 37 | type = "eql" 38 | 39 | query = ''' 40 | process where host.os.type == "windows" and event.type == "start" and 41 | process.parent.name : ("pcalua.exe", "forfiles.exe") 42 | ''' 43 | 44 | 45 | [[rule.threat]] 46 | framework = "MITRE ATT&CK" 47 | [[rule.threat.technique]] 48 | id = "T1202" 49 | name = "Indirect Command Execution" 50 | reference = "https://attack.mitre.org/techniques/T1202/" 51 | 52 | 53 | [rule.threat.tactic] 54 | id = "TA0005" 55 | name = "Defense Evasion" 56 | reference = "https://attack.mitre.org/tactics/TA0005/" 57 | 58 | -------------------------------------------------------------------------------- /rules_building_block/discovery_linux_system_information_discovery.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2023/07/10" 3 | integration = ["endpoint", "auditd_manager"] 4 | maturity = "production" 5 | updated_date = "2024/05/21" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | building_block_type = "default" 10 | description = "Enrich process events with uname and other command lines that imply Linux system information discovery." 11 | from = "now-119m" 12 | index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] 13 | interval = "60m" 14 | language = "eql" 15 | license = "Elastic License v2" 16 | name = "Linux System Information Discovery" 17 | risk_score = 21 18 | rule_id = "b81bd314-db5b-4d97-82e8-88e3e5fc9de5" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Endpoint", 22 | "OS: Linux", 23 | "Use Case: Threat Detection", 24 | "Tactic: Discovery", 25 | "Rule Type: BBR", 26 | "Data Source: Elastic Defend", 27 | "Data Source: Elastic Endgame", 28 | "Data Source: Auditd Manager", 29 | ] 30 | timestamp_override = "event.ingested" 31 | type = "eql" 32 | 33 | query = ''' 34 | process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and ( 35 | process.name: "uname" or ( 36 | process.name: ("cat", "more", "less") and process.args: ("*issue*", "*version*", "*profile*", "*services*", "*cpuinfo*") 37 | ) 38 | ) 39 | ''' 40 | 41 | 42 | [[rule.threat]] 43 | framework = "MITRE ATT&CK" 44 | [[rule.threat.technique]] 45 | id = "T1082" 46 | name = "System Information Discovery" 47 | reference = "https://attack.mitre.org/techniques/T1082/" 48 | 49 | 50 | [rule.threat.tactic] 51 | id = "TA0007" 52 | name = "Discovery" 53 | reference = "https://attack.mitre.org/tactics/TA0007/" 54 | 55 | -------------------------------------------------------------------------------- /rules_building_block/discovery_system_network_connections.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2023/07/11" 3 | integration = ["endpoint", "auditd_manager"] 4 | maturity = "production" 5 | updated_date = "2024/05/21" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | building_block_type = "default" 10 | description = "Adversaries may attempt to get a listing of network connections to or from a compromised system." 11 | from = "now-119m" 12 | index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"] 13 | interval = "60m" 14 | language = "eql" 15 | license = "Elastic License v2" 16 | name = "System Network Connections Discovery" 17 | risk_score = 21 18 | rule_id = "e2dc8f8c-5f16-42fa-b49e-0eb8057f7444" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Endpoint", 22 | "OS: Linux", 23 | "OS: macOS", 24 | "Use Case: Threat Detection", 25 | "Tactic: Discovery", 26 | "Rule Type: BBR", 27 | "Data Source: Elastic Defend", 28 | "Data Source: Elastic Endgame", 29 | "Data Source: Auditd Manager", 30 | ] 31 | timestamp_override = "event.ingested" 32 | type = "eql" 33 | 34 | query = ''' 35 | process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and 36 | process.name in ("netstat", "lsof", "who", "w") 37 | ''' 38 | 39 | 40 | [[rule.threat]] 41 | framework = "MITRE ATT&CK" 42 | [[rule.threat.technique]] 43 | id = "T1049" 44 | name = "System Network Connections Discovery" 45 | reference = "https://attack.mitre.org/techniques/T1049/" 46 | 47 | 48 | [rule.threat.tactic] 49 | id = "TA0007" 50 | name = "Discovery" 51 | reference = "https://attack.mitre.org/tactics/TA0007/" 52 | 53 | -------------------------------------------------------------------------------- /rules_building_block/execution_github_new_event_action_for_pat.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "Detects a first occurrence event for a personal access token (PAT) not seen in the last 14 days.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "kuery" 15 | license = "Elastic License v2" 16 | name = "First Occurrence GitHub Event for a Personal Access Token (PAT)" 17 | risk_score = 21 18 | rule_id = "ce08b55a-f67d-4804-92b5-617b0fe5a5b5" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Execution", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "new_terms" 30 | 31 | query = ''' 32 | event.dataset:"github.audit" and event.category:"configuration" and 33 | event.action:* and github.hashed_token:* and 34 | github.programmatic_access_type:("OAuth access token" or "Fine-grained personal access token") 35 | ''' 36 | 37 | 38 | [[rule.threat]] 39 | framework = "MITRE ATT&CK" 40 | [[rule.threat.technique]] 41 | id = "T1648" 42 | name = "Serverless Execution" 43 | reference = "https://attack.mitre.org/techniques/T1648/" 44 | 45 | 46 | [rule.threat.tactic] 47 | id = "TA0002" 48 | name = "Execution" 49 | reference = "https://attack.mitre.org/tactics/TA0002/" 50 | 51 | [rule.new_terms] 52 | field = "new_terms_fields" 53 | value = ["github.hashed_token", "event.action"] 54 | [[rule.new_terms.history_window_start]] 55 | field = "history_window_start" 56 | value = "now-14d" 57 | 58 | 59 | -------------------------------------------------------------------------------- /rules_building_block/execution_github_new_repo_interaction_for_user.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "Detects a new private repo interaction for a GitHub user not seen in the last 14 days.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "kuery" 15 | license = "Elastic License v2" 16 | name = "First Occurrence of GitHub User Interaction with Private Repo" 17 | risk_score = 21 18 | rule_id = "01c49712-25bc-49d2-a27d-d7ce52f5dc49" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Execution", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "new_terms" 30 | 31 | query = ''' 32 | event.dataset:"github.audit" and event.category:"configuration" and 33 | github.repo:* and user.name:* and 34 | github.repository_public:false 35 | ''' 36 | 37 | 38 | [[rule.threat]] 39 | framework = "MITRE ATT&CK" 40 | [[rule.threat.technique]] 41 | id = "T1648" 42 | name = "Serverless Execution" 43 | reference = "https://attack.mitre.org/techniques/T1648/" 44 | 45 | 46 | [rule.threat.tactic] 47 | id = "TA0002" 48 | name = "Execution" 49 | reference = "https://attack.mitre.org/tactics/TA0002/" 50 | 51 | [rule.new_terms] 52 | field = "new_terms_fields" 53 | value = ["user.name", "github.repo"] 54 | [[rule.new_terms.history_window_start]] 55 | field = "history_window_start" 56 | value = "now-14d" 57 | 58 | 59 | -------------------------------------------------------------------------------- /rules_building_block/execution_github_repo_created.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "A new GitHub repository was created.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "eql" 15 | license = "Elastic License v2" 16 | name = "GitHub Repo Created" 17 | risk_score = 21 18 | rule_id = "6cea88e4-6ce2-4238-9981-a54c140d6336" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Execution", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "eql" 30 | 31 | query = ''' 32 | configuration where event.dataset == "github.audit" and event.action == "repo.create" 33 | ''' 34 | 35 | 36 | [[rule.threat]] 37 | framework = "MITRE ATT&CK" 38 | [[rule.threat.technique]] 39 | id = "T1648" 40 | name = "Serverless Execution" 41 | reference = "https://attack.mitre.org/techniques/T1648/" 42 | 43 | 44 | [rule.threat.tactic] 45 | id = "TA0002" 46 | name = "Execution" 47 | reference = "https://attack.mitre.org/tactics/TA0002/" 48 | 49 | -------------------------------------------------------------------------------- /rules_building_block/execution_github_repo_interaction_from_new_ip.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "Detects an interaction with a private GitHub repository from a new IP address not seen in the last 14 days.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "kuery" 15 | license = "Elastic License v2" 16 | name = "First Occurrence of GitHub Repo Interaction From a New IP" 17 | risk_score = 21 18 | rule_id = "0294f105-d7af-4a02-ae90-35f56763ffa2" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Execution", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "new_terms" 30 | 31 | query = ''' 32 | event.dataset:"github.audit" and event.category:"configuration" and 33 | github.actor_ip:* and github.repo:* and 34 | github.repository_public:false 35 | ''' 36 | 37 | 38 | [[rule.threat]] 39 | framework = "MITRE ATT&CK" 40 | [[rule.threat.technique]] 41 | id = "T1648" 42 | name = "Serverless Execution" 43 | reference = "https://attack.mitre.org/techniques/T1648/" 44 | 45 | 46 | [rule.threat.tactic] 47 | id = "TA0002" 48 | name = "Execution" 49 | reference = "https://attack.mitre.org/tactics/TA0002/" 50 | 51 | [rule.new_terms] 52 | field = "new_terms_fields" 53 | value = ["github.repo", "github.actor_ip"] 54 | [[rule.new_terms.history_window_start]] 55 | field = "history_window_start" 56 | value = "now-14d" 57 | 58 | 59 | -------------------------------------------------------------------------------- /rules_building_block/execution_wmi_wbemtest.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2023/08/24" 3 | integration = ["endpoint", "windows", "system"] 4 | maturity = "production" 5 | updated_date = "2025/03/20" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | building_block_type = "default" 10 | description = """ 11 | Adversaries may abuse the WMI diagnostic tool, wbemtest.exe, to enumerate WMI object instances or invoke methods against 12 | local or remote endpoints. 13 | """ 14 | from = "now-119m" 15 | index = [ 16 | "endgame-*", 17 | "logs-endpoint.events.process-*", 18 | "logs-system.security*", 19 | "logs-windows.*", 20 | "winlogbeat-*", 21 | ] 22 | interval = "60m" 23 | language = "eql" 24 | license = "Elastic License v2" 25 | name = "WMI WBEMTEST Utility Execution" 26 | risk_score = 21 27 | rule_id = "d3551433-782f-4e22-bbea-c816af2d41c6" 28 | severity = "low" 29 | tags = [ 30 | "Domain: Endpoint", 31 | "OS: Windows", 32 | "Use Case: Threat Detection", 33 | "Tactic: Execution", 34 | "Data Source: Elastic Defend", 35 | "Rule Type: BBR", 36 | "Data Source: Elastic Endgame", 37 | "Data Source: Windows Security Event Logs", 38 | ] 39 | timestamp_override = "event.ingested" 40 | type = "eql" 41 | 42 | query = ''' 43 | process where host.os.type == "windows" and event.type == "start" and process.name : "wbemtest.exe" 44 | ''' 45 | 46 | 47 | [[rule.threat]] 48 | framework = "MITRE ATT&CK" 49 | [[rule.threat.technique]] 50 | id = "T1047" 51 | name = "Windows Management Instrumentation" 52 | reference = "https://attack.mitre.org/techniques/T1047/" 53 | 54 | 55 | [rule.threat.tactic] 56 | id = "TA0002" 57 | name = "Execution" 58 | reference = "https://attack.mitre.org/tactics/TA0002/" 59 | 60 | -------------------------------------------------------------------------------- /rules_building_block/impact_github_member_removed_from_organization.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "A member was removed or their invitation to join was removed from a GitHub Organization.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "eql" 15 | license = "Elastic License v2" 16 | name = "Member Removed From GitHub Organization" 17 | risk_score = 21 18 | rule_id = "095b6a58-8f88-4b59-827c-ab584ad4e759" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Impact", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "eql" 30 | 31 | query = ''' 32 | configuration where event.dataset == "github.audit" and event.action == "org.remove_member" 33 | ''' 34 | 35 | 36 | [[rule.threat]] 37 | framework = "MITRE ATT&CK" 38 | [[rule.threat.technique]] 39 | id = "T1531" 40 | name = "Account Access Removal" 41 | reference = "https://attack.mitre.org/techniques/T1531/" 42 | 43 | 44 | [rule.threat.tactic] 45 | id = "TA0040" 46 | name = "Impact" 47 | reference = "https://attack.mitre.org/tactics/TA0040/" 48 | 49 | -------------------------------------------------------------------------------- /rules_building_block/impact_github_pat_access_revoked.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "Access to private GitHub organization resources was revoked for a PAT.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "eql" 15 | license = "Elastic License v2" 16 | name = "GitHub PAT Access Revoked" 17 | risk_score = 21 18 | rule_id = "8a0fd93a-7df8-410d-8808-4cc5e340f2b9" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Impact", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "eql" 30 | 31 | query = ''' 32 | configuration where event.dataset == "github.audit" and event.action == "personal_access_token.access_revoked" 33 | ''' 34 | 35 | 36 | [[rule.threat]] 37 | framework = "MITRE ATT&CK" 38 | [[rule.threat.technique]] 39 | id = "T1531" 40 | name = "Account Access Removal" 41 | reference = "https://attack.mitre.org/techniques/T1531/" 42 | 43 | 44 | [rule.threat.tactic] 45 | id = "TA0040" 46 | name = "Impact" 47 | reference = "https://attack.mitre.org/tactics/TA0040/" 48 | 49 | -------------------------------------------------------------------------------- /rules_building_block/impact_github_user_blocked_from_organization.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "A GitHub user was blocked from access to an organization.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "eql" 15 | license = "Elastic License v2" 16 | name = "GitHub User Blocked From Organization" 17 | risk_score = 21 18 | rule_id = "4030c951-448a-4017-a2da-ed60f6d14f4f" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Impact", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "eql" 30 | 31 | query = ''' 32 | configuration where event.dataset == "github.audit" and event.action == "org.block_user" 33 | ''' 34 | 35 | 36 | [[rule.threat]] 37 | framework = "MITRE ATT&CK" 38 | [[rule.threat.technique]] 39 | id = "T1531" 40 | name = "Account Access Removal" 41 | reference = "https://attack.mitre.org/techniques/T1531/" 42 | 43 | 44 | [rule.threat.tactic] 45 | id = "TA0040" 46 | name = "Impact" 47 | reference = "https://attack.mitre.org/tactics/TA0040/" 48 | 49 | -------------------------------------------------------------------------------- /rules_building_block/initial_access_github_new_ip_address_for_user.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "Detects a new IP address used for a GitHub user not previously seen in the last 14 days.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "kuery" 15 | license = "Elastic License v2" 16 | name = "First Occurrence of IP Address For GitHub User" 17 | risk_score = 21 18 | rule_id = "3af4cb9b-973f-4c54-be2b-7623c0e21b2b" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Initial Access", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "new_terms" 30 | 31 | query = ''' 32 | event.dataset:"github.audit" and event.category:"configuration" and 33 | github.actor_ip:* and user.name:* 34 | ''' 35 | 36 | 37 | [[rule.threat]] 38 | framework = "MITRE ATT&CK" 39 | [[rule.threat.technique]] 40 | id = "T1078" 41 | name = "Valid Accounts" 42 | reference = "https://attack.mitre.org/techniques/T1078/" 43 | [[rule.threat.technique.subtechnique]] 44 | id = "T1078.004" 45 | name = "Cloud Accounts" 46 | reference = "https://attack.mitre.org/techniques/T1078/004/" 47 | 48 | 49 | 50 | [rule.threat.tactic] 51 | id = "TA0001" 52 | name = "Initial Access" 53 | reference = "https://attack.mitre.org/tactics/TA0001/" 54 | 55 | [rule.new_terms] 56 | field = "new_terms_fields" 57 | value = ["user.name", "github.actor_ip"] 58 | [[rule.new_terms.history_window_start]] 59 | field = "history_window_start" 60 | value = "now-14d" 61 | 62 | 63 | -------------------------------------------------------------------------------- /rules_building_block/persistence_creation_of_kernel_module.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2023/08/23" 3 | integration = ["endpoint"] 4 | maturity = "production" 5 | updated_date = "2024/05/21" 6 | 7 | [rule] 8 | author = ["Elastic"] 9 | building_block_type = "default" 10 | description = "Identifies activity related to loading kernel modules on Linux via creation of new ko files in the LKM directory.\n" 11 | from = "now-119m" 12 | index = ["logs-endpoint.events.*", "endgame-*"] 13 | interval = "60m" 14 | language = "eql" 15 | license = "Elastic License v2" 16 | name = "Creation of Kernel Module" 17 | risk_score = 21 18 | rule_id = "947827c6-9ed6-4dec-903e-c856c86e72f3" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Endpoint", 22 | "OS: Linux", 23 | "Use Case: Threat Detection", 24 | "Tactic: Persistence", 25 | "Rule Type: BBR", 26 | "Data Source: Elastic Defend", 27 | "Data Source: Elastic Endgame", 28 | ] 29 | timestamp_override = "event.ingested" 30 | type = "eql" 31 | 32 | query = ''' 33 | file where host.os.type == "linux" and event.type in ("change", "creation") and file.path : "/lib/modules/*" and 34 | file.extension == "ko" and not process.name : ( 35 | "dpkg", "systemd", "falcon-sensor*", "dnf", "yum", "rpm", "cp" 36 | ) 37 | ''' 38 | 39 | 40 | [[rule.threat]] 41 | framework = "MITRE ATT&CK" 42 | [[rule.threat.technique]] 43 | id = "T1547" 44 | name = "Boot or Logon Autostart Execution" 45 | reference = "https://attack.mitre.org/techniques/T1547/" 46 | [[rule.threat.technique.subtechnique]] 47 | id = "T1547.006" 48 | name = "Kernel Modules and Extensions" 49 | reference = "https://attack.mitre.org/techniques/T1547/006/" 50 | 51 | 52 | 53 | [rule.threat.tactic] 54 | id = "TA0003" 55 | name = "Persistence" 56 | reference = "https://attack.mitre.org/tactics/TA0003/" 57 | 58 | -------------------------------------------------------------------------------- /rules_building_block/persistence_github_new_user_added_to_organization.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | bypass_bbr_timing = true 3 | creation_date = "2023/10/11" 4 | integration = ["github"] 5 | maturity = "production" 6 | updated_date = "2025/03/20" 7 | 8 | [rule] 9 | author = ["Elastic"] 10 | building_block_type = "default" 11 | description = "A new user was added to a GitHub organization.\n" 12 | from = "now-9m" 13 | index = ["logs-github.audit-*"] 14 | language = "eql" 15 | license = "Elastic License v2" 16 | name = "New User Added To GitHub Organization" 17 | risk_score = 21 18 | rule_id = "61336fe6-c043-4743-ab6e-41292f439603" 19 | severity = "low" 20 | tags = [ 21 | "Domain: Cloud", 22 | "Use Case: Threat Detection", 23 | "Use Case: UEBA", 24 | "Tactic: Persistence", 25 | "Rule Type: BBR", 26 | "Data Source: Github", 27 | ] 28 | timestamp_override = "event.ingested" 29 | type = "eql" 30 | 31 | query = ''' 32 | configuration where event.dataset == "github.audit" and event.action == "org.add_member" 33 | ''' 34 | 35 | 36 | [[rule.threat]] 37 | framework = "MITRE ATT&CK" 38 | [[rule.threat.technique]] 39 | id = "T1098" 40 | name = "Account Manipulation" 41 | reference = "https://attack.mitre.org/techniques/T1098/" 42 | [[rule.threat.technique.subtechnique]] 43 | id = "T1098.001" 44 | name = "Additional Cloud Credentials" 45 | reference = "https://attack.mitre.org/techniques/T1098/001/" 46 | 47 | 48 | 49 | [rule.threat.tactic] 50 | id = "TA0003" 51 | name = "Persistence" 52 | reference = "https://attack.mitre.org/tactics/TA0003/" 53 | 54 | -------------------------------------------------------------------------------- /tests/data/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | -------------------------------------------------------------------------------- /tests/data/command_control_dummy_production_rule.toml: -------------------------------------------------------------------------------- 1 | [metadata] 2 | creation_date = "2023/11/20" 3 | integration = ["endpoint"] 4 | maturity = "production" 5 | min_stack_comments = "ES|QL Rule" 6 | min_stack_version = "8.11.0" 7 | updated_date = "2023/11/20" 8 | 9 | [rule] 10 | author = ["Elastic"] 11 | description = """ 12 | Sample ES|QL rule for unit tests. 13 | """ 14 | from = "now-9m" 15 | language = "esql" 16 | license = "Elastic License v2" 17 | name = "Sample ES|QL rule for unit tests" 18 | risk_score = 47 19 | rule_id = "24220495-cffe-45a1-996c-37b599ba0e43" 20 | severity = "medium" 21 | tags = ["Data Source: Elastic Endpoint", "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Command and Control", "Data Source: Elastic Defend"] 22 | timestamp_override = "event.ingested" 23 | type = "esql" 24 | query = ''' 25 | from .ds-logs-endpoint.events.process-default-* 26 | | where event.action == "start" and process.code_signature.subject_name like "Microsoft*" and process.parent.name in ("winword.exe", "WINWORD.EXE", "EXCEL.EXE", "excel.exe") 27 | | eval process_path = replace(process.executable, """[cC]:\\[uU][sS][eE][rR][sS]\\[a-zA-Z0-9\.\-\_\$]+\\""", "C:\\\\users\\\\user\\\\") 28 | | stats cc = count(*) by process_path, process.parent.name | where cc <= 5 29 | ''' 30 | 31 | [[rule.threat]] 32 | framework = "MITRE ATT&CK" 33 | 34 | [rule.threat.tactic] 35 | id = "TA0011" 36 | name = "Command and Control" 37 | reference = "https://attack.mitre.org/tactics/TA0011/" 38 | -------------------------------------------------------------------------------- /tests/kuery/__init__.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | 6 | """KQL unit tests.""" 7 | -------------------------------------------------------------------------------- /tests/test_gh_workflows.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | 6 | """Tests for GitHub workflow functionality.""" 7 | 8 | import unittest 9 | from pathlib import Path 10 | 11 | import yaml 12 | 13 | from detection_rules.schemas import get_stack_versions, RULES_CONFIG 14 | from detection_rules.utils import get_path 15 | 16 | GITHUB_FILES = Path(get_path()) / '.github' 17 | GITHUB_WORKFLOWS = GITHUB_FILES / 'workflows' 18 | 19 | 20 | class TestWorkflows(unittest.TestCase): 21 | """Test GitHub workflow functionality.""" 22 | 23 | @unittest.skipIf(RULES_CONFIG.bypass_version_lock, 'Version lock bypassed') 24 | def test_matrix_to_lock_version_defaults(self): 25 | """Test that the default versions in the lock-versions workflow mirror those from the schema-map.""" 26 | lock_workflow_file = GITHUB_WORKFLOWS / 'lock-versions.yml' 27 | lock_workflow = yaml.safe_load(lock_workflow_file.read_text()) 28 | lock_versions = lock_workflow[True]['workflow_dispatch']['inputs']['branches']['default'].split(',') 29 | 30 | matrix_versions = get_stack_versions(drop_patch=True) 31 | err_msg = 'lock-versions workflow default does not match current matrix in stack-schema-map' 32 | self.assertListEqual(lock_versions, matrix_versions[:-1], err_msg) 33 | -------------------------------------------------------------------------------- /tests/test_rules_remote.py: -------------------------------------------------------------------------------- 1 | # Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one 2 | # or more contributor license agreements. Licensed under the Elastic License 3 | # 2.0; you may not use this file except in compliance with the Elastic License 4 | # 2.0. 5 | 6 | import unittest 7 | 8 | from .base import BaseRuleTest 9 | from detection_rules.misc import get_default_config 10 | # from detection_rules.remote_validation import RemoteValidator 11 | 12 | 13 | @unittest.skipIf(get_default_config() is None, 'Skipping remote validation due to missing config') 14 | class TestRemoteRules(BaseRuleTest): 15 | """Test rules against a remote Elastic stack instance.""" 16 | 17 | # def test_esql_rules(self): 18 | # """Temporarily explicitly test all ES|QL rules remotely pending parsing lib.""" 19 | # esql_rules = [r for r in self.all_rules if r.contents.data.type == 'esql'] 20 | # rv = RemoteValidator(parse_config=True) 21 | # rv.validate_rules(esql_rules) 22 | --------------------------------------------------------------------------------