From 1d3e7ddae2155c244f21b897496da34e8f2b372a Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Thu, 27 Jul 2023 11:58:01 -0500 Subject: [PATCH 01/14] update 8.8 docs --- ...ebuilt-rules-downloadable-updates.asciidoc | 3 +- .../prebuilt-rules-reference.asciidoc | 1718 ++++++++++------- .../prebuilt-rules/rule-desc-index.asciidoc | 187 +- .../a-scheduled-task-was-created.asciidoc | 73 +- .../a-scheduled-task-was-updated.asciidoc | 85 +- ...l-process-id-or-lock-file-created.asciidoc | 136 +- .../abnormally-large-dns-response.asciidoc | 100 +- ...ed-default-telnet-port-connection.asciidoc | 113 +- ...ess-of-stored-browser-credentials.asciidoc | 101 +- ...ess-to-a-sensitive-ldap-attribute.asciidoc | 69 +- ...-keychain-credentials-directories.asciidoc | 143 +- ...ured-with-never-expiring-password.asciidoc | 82 +- ...covery-command-via-system-account.asciidoc | 175 +- ...roup-discovery-via-built-in-tools.asciidoc | 86 + .../account-password-reset-remotely.asciidoc | 121 +- ...-hidden-file-attribute-via-attrib.asciidoc | 166 +- .../adfind-command-activity.asciidoc | 169 +- ...vileges-assigned-to-an-okta-group.asciidoc | 71 +- ...tor-role-assigned-to-an-okta-user.asciidoc | 62 +- .../adminsdholder-backdoor.asciidoc | 50 +- ...insdholder-sdprop-exclusion-added.asciidoc | 98 +- .../adobe-hijack-persistence.asciidoc | 153 +- ...behavior-detected-elastic-endgame.asciidoc | 63 +- ...gent-spoofing-mismatched-agent-id.asciidoc | 43 +- ...g-multiple-hosts-using-same-agent.asciidoc | 40 +- ...anomalous-linux-compiler-activity.asciidoc | 56 +- ...us-process-for-a-linux-population.asciidoc | 114 +- ...-process-for-a-windows-population.asciidoc | 145 +- ...nomalous-windows-process-creation.asciidoc | 121 +- ...on-followed-by-network-connection.asciidoc | 86 +- ...ion-with-administrator-privileges.asciidoc | 56 +- ...-added-to-google-workspace-domain.asciidoc | 128 +- ...rom-blocklist-in-google-workspace.asciidoc | 104 +- .../attempt-to-create-okta-api-token.asciidoc | 72 +- ...to-deactivate-an-okta-application.asciidoc | 91 +- ...o-deactivate-an-okta-network-zone.asciidoc | 93 +- ...to-deactivate-an-okta-policy-rule.asciidoc | 112 +- ...empt-to-deactivate-an-okta-policy.asciidoc | 111 +- ...vate-mfa-for-an-okta-user-account.asciidoc | 72 +- ...mpt-to-delete-an-okta-application.asciidoc | 64 +- ...pt-to-delete-an-okta-network-zone.asciidoc | 93 +- ...mpt-to-delete-an-okta-policy-rule.asciidoc | 100 +- .../attempt-to-delete-an-okta-policy.asciidoc | 111 +- .../attempt-to-disable-gatekeeper.asciidoc | 54 +- ...t-to-disable-iptables-or-firewall.asciidoc | 77 + ...attempt-to-disable-syslog-service.asciidoc | 83 +- ...ttempt-to-enable-the-root-account.asciidoc | 49 +- ...mpt-to-install-kali-linux-via-wsl.asciidoc | 71 + ...tempt-to-install-root-certificate.asciidoc | 62 +- ...mpt-to-modify-an-okta-application.asciidoc | 64 +- ...pt-to-modify-an-okta-network-zone.asciidoc | 124 +- ...mpt-to-modify-an-okta-policy-rule.asciidoc | 119 +- .../attempt-to-modify-an-okta-policy.asciidoc | 102 +- ...-mount-smb-share-via-command-line.asciidoc | 75 +- ...-remove-file-quarantine-attribute.asciidoc | 87 +- ...-factors-for-an-okta-user-account.asciidoc | 72 +- .../attempt-to-revoke-okta-api-token.asciidoc | 94 +- ...ndpoint-security-kernel-extension.asciidoc | 55 +- .../attempted-bypass-of-okta-mfa.asciidoc | 106 +- ...orce-a-microsoft-365-user-account.asciidoc | 109 +- ...-brute-force-an-okta-user-account.asciidoc | 99 +- ...authorization-plugin-modification.asciidoc | 60 +- .../aws-cloudtrail-log-created.asciidoc | 78 +- .../aws-cloudtrail-log-deleted.asciidoc | 114 +- .../aws-cloudtrail-log-suspended.asciidoc | 111 +- .../aws-cloudtrail-log-updated.asciidoc | 115 +- .../aws-cloudwatch-alarm-deletion.asciidoc | 103 +- ...aws-cloudwatch-log-group-deletion.asciidoc | 117 +- ...ws-cloudwatch-log-stream-deletion.asciidoc | 117 +- .../aws-config-resource-deletion.asciidoc | 116 +- ...ws-configuration-recorder-stopped.asciidoc | 79 +- ...s-searched-for-inside-a-container.asciidoc | 70 + ...letion-of-rds-instance-or-cluster.asciidoc | 97 +- .../aws-ec2-encryption-disabled.asciidoc | 79 +- ...l-network-packet-capture-detected.asciidoc | 71 +- ...work-access-control-list-creation.asciidoc | 80 +- ...work-access-control-list-deletion.asciidoc | 84 +- .../aws-ec2-snapshot-activity.asciidoc | 101 +- .../aws-ec2-vm-export-failure.asciidoc | 58 +- ...-efs-file-system-or-mount-deleted.asciidoc | 70 +- ...lasticache-security-group-created.asciidoc | 69 +- ...ecurity-group-modified-or-deleted.asciidoc | 74 +- ...ntbridge-rule-disabled-or-deleted.asciidoc | 69 +- .../aws-execution-via-system-manager.asciidoc | 111 +- .../aws-guardduty-detector-deletion.asciidoc | 82 +- ...aws-iam-assume-role-policy-update.asciidoc | 102 +- ...brute-force-of-assume-role-policy.asciidoc | 111 +- ...ws-iam-deactivation-of-mfa-device.asciidoc | 97 +- .../aws-iam-group-creation.asciidoc | 82 +- .../aws-iam-group-deletion.asciidoc | 74 +- ...s-iam-password-recovery-requested.asciidoc | 75 +- .../aws-iam-user-addition-to-group.asciidoc | 103 +- ...isabled-or-scheduled-for-deletion.asciidoc | 41 +- ...brute-force-of-root-user-identity.asciidoc | 61 +- ...aws-management-console-root-login.asciidoc | 100 +- .../aws-rds-cluster-creation.asciidoc | 82 +- ...aws-rds-instance-cluster-stoppage.asciidoc | 74 +- .../aws-rds-instance-creation.asciidoc | 62 +- .../aws-rds-security-group-creation.asciidoc | 64 +- .../aws-rds-security-group-deletion.asciidoc | 60 +- .../aws-rds-snapshot-export.asciidoc | 56 +- .../aws-rds-snapshot-restored.asciidoc | 68 +- .../aws-redshift-cluster-creation.asciidoc | 55 +- .../aws-root-login-without-mfa.asciidoc | 106 +- ...-53-domain-transfer-lock-disabled.asciidoc | 57 +- ...in-transferred-to-another-account.asciidoc | 58 +- .../aws-route-table-created.asciidoc | 71 +- ...s-route-table-modified-or-deleted.asciidoc | 65 +- ...hosted-zone-associated-with-a-vpc.asciidoc | 61 +- ...-s3-bucket-configuration-deletion.asciidoc | 82 +- .../rule-details/aws-saml-activity.asciidoc | 70 +- ...up-configuration-change-detection.asciidoc | 93 +- ...oken-service-sts-assumerole-usage.asciidoc | 76 +- .../aws-sts-getsessiontoken-abuse.asciidoc | 69 +- .../aws-vpc-flow-logs-deletion.asciidoc | 111 +- ...-waf-access-control-list-deletion.asciidoc | 82 +- ...s-waf-rule-or-rule-group-deletion.asciidoc | 92 +- ...ctive-directory-high-risk-sign-in.asciidoc | 85 +- ...-high-risk-user-sign-in-heuristic.asciidoc | 72 +- ...tive-directory-powershell-sign-in.asciidoc | 98 +- ...lobal-administrator-role-assigned.asciidoc | 63 +- ...pression-rule-created-or-modified.asciidoc | 65 +- ...plication-credential-modification.asciidoc | 67 +- .../azure-automation-account-created.asciidoc | 80 +- ...ation-runbook-created-or-modified.asciidoc | 87 +- .../azure-automation-runbook-deleted.asciidoc | 95 +- .../azure-automation-webhook-created.asciidoc | 83 +- ...ntainer-access-level-modification.asciidoc | 82 +- ...ure-blob-permissions-modification.asciidoc | 70 +- ...mand-execution-on-virtual-machine.asciidoc | 80 +- ...onditional-access-policy-modified.asciidoc | 82 +- ...zure-diagnostic-settings-deletion.asciidoc | 83 +- ...orization-rule-created-or-updated.asciidoc | 84 +- .../azure-event-hub-deletion.asciidoc | 87 +- ...re-external-guest-user-invitation.asciidoc | 77 +- .../azure-firewall-policy-deletion.asciidoc | 86 +- ...ation-firewall-waf-policy-deleted.asciidoc | 61 +- ...l-network-packet-capture-detected.asciidoc | 70 +- ...strator-role-addition-to-pim-user.asciidoc | 87 +- .../azure-key-vault-modified.asciidoc | 83 +- .../azure-kubernetes-events-deleted.asciidoc | 75 +- .../azure-kubernetes-pods-deleted.asciidoc | 66 +- ...e-kubernetes-rolebindings-created.asciidoc | 66 +- .../azure-network-watcher-deletion.asciidoc | 86 +- ...identity-management-role-modified.asciidoc | 98 +- .../azure-resource-group-deletion.asciidoc | 86 +- .../azure-service-principal-addition.asciidoc | 95 +- ...rvice-principal-credentials-added.asciidoc | 63 +- ...e-storage-account-key-regenerated.asciidoc | 80 +- ...etwork-device-modified-or-deleted.asciidoc | 108 +- ...base32-encoding-decoding-activity.asciidoc | 75 +- .../bash-shell-profile-modification.asciidoc | 90 +- ...uted-from-shared-memory-directory.asciidoc | 81 +- .../bpf-filter-applied-using-tc.asciidoc | 53 +- .../bypass-uac-via-event-viewer.asciidoc | 179 +- .../bypass-uac-via-sdclt.asciidoc | 78 + .../chkconfig-service-add.asciidoc | 63 +- .../clearing-windows-console-history.asciidoc | 109 +- .../clearing-windows-event-logs.asciidoc | 178 +- ...strike-command-and-control-beacon.asciidoc | 83 +- ...dification-through-built-in-tools.asciidoc | 124 ++ ...icy-modification-through-registry.asciidoc | 127 ++ ...-execution-via-solarwinds-process.asciidoc | 94 +- ...command-prompt-network-connection.asciidoc | 166 +- ...ell-activity-started-via-rundll32.asciidoc | 99 +- .../component-object-model-hijacking.asciidoc | 251 +-- ...ion-dll-loaded-by-unusual-process.asciidoc | 68 + ...wned-by-suspicious-parent-process.asciidoc | 129 +- ...ed-free-ssl-certificate-providers.asciidoc | 97 +- ...n-to-commonly-abused-web-services.asciidoc | 362 +--- ...on-to-external-network-via-telnet.asciidoc | 101 +- ...on-to-internal-network-via-telnet.asciidoc | 101 +- ...nt-utility-run-inside-a-container.asciidoc | 60 + .../container-workload-protection.asciidoc | 45 + ...el-process-with-unusual-arguments.asciidoc | 106 +- ...on-of-a-hidden-local-user-account.asciidoc | 79 +- ...s-and-directories-via-commandline.asciidoc | 97 +- ...-of-hidden-launch-agent-or-daemon.asciidoc | 84 +- ...idden-login-item-via-apple-script.asciidoc | 63 +- ...tion-of-hidden-shared-object-file.asciidoc | 54 +- ...new-gpo-scheduled-task-or-service.asciidoc | 93 +- ...f-domain-backup-dpapi-private-key.asciidoc | 87 +- ...-modification-of-root-certificate.asciidoc | 165 +- ...isition-via-registry-hive-dumping.asciidoc | 133 +- ...-dumping-detected-elastic-endgame.asciidoc | 66 +- ...dumping-prevented-elastic-endgame.asciidoc | 66 +- ...pulation-detected-elastic-endgame.asciidoc | 64 +- ...ulation-prevented-elastic-endgame.asciidoc | 64 +- ...ged-by-previously-unknown-process.asciidoc | 95 + ...-privileged-access-security-error.asciidoc | 52 +- ...cess-security-recommended-monitor.asciidoc | 60 +- ...lt-strike-team-server-certificate.asciidoc | 88 +- ...te-volume-usn-journal-with-fsutil.asciidoc | 146 +- ...ting-backup-catalogs-with-wbadmin.asciidoc | 131 +- .../direct-outbound-smb-connection.asciidoc | 177 +- ...ecurity-logs-using-built-in-tools.asciidoc | 141 +- ...-windows-firewall-rules-via-netsh.asciidoc | 137 +- ...control-via-registry-modification.asciidoc | 124 +- ...-security-settings-via-powershell.asciidoc | 108 +- ...s-over-https-enabled-via-registry.asciidoc | 70 +- .../rule-details/dns-tunneling.asciidoc | 51 +- ...-google-workspace-trusted-domains.asciidoc | 129 +- .../downloaded-shortcut-files.asciidoc | 88 + .../downloaded-url-files.asciidoc | 83 + ...ount-hashes-via-built-in-commands.asciidoc | 46 +- ...hain-content-via-security-command.asciidoc | 54 +- .../rule-details/dynamic-linker-copy.asciidoc | 55 +- .../eggshell-backdoor-execution.asciidoc | 50 +- .../elastic-agent-service-terminated.asciidoc | 116 +- ...nd-rules-creation-or-modification.asciidoc | 65 +- ...-host-network-discovery-via-netsh.asciidoc | 90 +- ...executable-stored-in-the-registry.asciidoc | 65 +- ...ncrypting-files-with-winrar-or-7z.asciidoc | 130 +- .../rule-details/endpoint-security.asciidoc | 37 +- ...ing-domain-trusts-via-dsquery-exe.asciidoc | 110 ++ ...ting-domain-trusts-via-nltest-exe.asciidoc | 112 ++ ...tion-command-spawned-via-wmiprvse.asciidoc | 122 +- ...eration-of-administrator-accounts.asciidoc | 148 +- ...ration-of-kernel-modules-via-proc.asciidoc | 82 + .../enumeration-of-kernel-modules.asciidoc | 73 +- ...rivileged-local-groups-membership.asciidoc | 222 +-- ...s-or-groups-via-built-in-commands.asciidoc | 140 +- .../esxi-discovery-via-find.asciidoc | 61 + .../esxi-discovery-via-grep.asciidoc | 62 + ...-timestomping-using-touch-command.asciidoc | 65 + ...nge-mailbox-export-via-powershell.asciidoc | 121 ++ ...creation-with-multiple-extensions.asciidoc | 98 +- ...om-unusual-directory-command-line.asciidoc | 522 ++--- ...ecution-of-com-object-via-xwizard.asciidoc | 79 +- ...n-or-modified-by-microsoft-office.asciidoc | 134 +- ...written-or-modified-by-pdf-reader.asciidoc | 136 +- ...-of-persistent-suspicious-program.asciidoc | 101 +- ...tron-child-process-node-js-module.asciidoc | 72 + ...ution-via-local-sxs-shared-module.asciidoc | 64 +- ...ssql-xp-cmdshell-stored-procedure.asciidoc | 107 + ...execution-via-tsclient-mountpoint.asciidoc | 64 +- ...n-via-windows-subsystem-for-linux.asciidoc | 77 + ...xplicit-credentials-via-scripting.asciidoc | 83 +- .../expired-or-revoked-driver-loaded.asciidoc | 62 + .../exploit-detected-elastic-endgame.asciidoc | 66 +- ...exploit-prevented-elastic-endgame.asciidoc | 66 +- ...g-exchange-mailbox-via-powershell.asciidoc | 132 +- .../rule-details/external-alerts.asciidoc | 55 +- ...p-lookup-from-non-browser-process.asciidoc | 212 +- ...r-added-to-google-workspace-group.asciidoc | 127 ++ .../file-creation-time-changed.asciidoc | 80 + .../file-deletion-via-shred.asciidoc | 76 +- ...able-via-chmod-inside-a-container.asciidoc | 76 + .../file-made-immutable-by-chattr.asciidoc | 51 +- ...odification-in-writable-directory.asciidoc | 74 +- ...r-listener-established-via-netcat.asciidoc | 171 +- ...ync-plugin-registered-and-enabled.asciidoc | 88 +- ...value-accessed-in-secrets-manager.asciidoc | 119 ++ ...used-remote-access-tool-execution.asciidoc | 125 ++ .../first-time-seen-driver-loaded.asciidoc | 134 ++ ...ogin-from-third-party-application.asciidoc | 97 + .../first-time-seen-removable-device.asciidoc | 78 + ...me-seen-account-performing-dcsync.asciidoc | 121 ++ ...d-google-workspace-security-alert.asciidoc | 61 + ...er-mode-dumps-enabled-system-wide.asciidoc | 44 +- .../gcp-firewall-rule-creation.asciidoc | 80 +- .../gcp-firewall-rule-deletion.asciidoc | 80 +- .../gcp-firewall-rule-modification.asciidoc | 80 +- .../gcp-iam-custom-role-creation.asciidoc | 85 +- .../gcp-iam-role-deletion.asciidoc | 83 +- ...-iam-service-account-key-deletion.asciidoc | 86 +- .../gcp-logging-bucket-deletion.asciidoc | 89 +- .../gcp-logging-sink-deletion.asciidoc | 86 +- .../gcp-logging-sink-modification.asciidoc | 83 +- ...gcp-pub-sub-subscription-creation.asciidoc | 88 +- ...gcp-pub-sub-subscription-deletion.asciidoc | 86 +- .../gcp-pub-sub-topic-creation.asciidoc | 88 +- .../gcp-pub-sub-topic-deletion.asciidoc | 86 +- .../gcp-service-account-creation.asciidoc | 83 +- .../gcp-service-account-deletion.asciidoc | 83 +- .../gcp-service-account-disabled.asciidoc | 83 +- .../gcp-service-account-key-creation.asciidoc | 83 +- ...bucket-configuration-modification.asciidoc | 87 +- .../gcp-storage-bucket-deletion.asciidoc | 85 +- ...e-bucket-permissions-modification.asciidoc | 86 +- ...al-private-cloud-network-deletion.asciidoc | 85 +- ...tual-private-cloud-route-creation.asciidoc | 98 +- ...tual-private-cloud-route-deletion.asciidoc | 85 +- ...-transferred-via-google-workspace.asciidoc | 95 +- ...gle-workspace-2sv-policy-disabled.asciidoc | 91 +- ...ace-admin-role-assigned-to-a-user.asciidoc | 143 +- ...gle-workspace-admin-role-deletion.asciidoc | 125 +- ...main-wide-delegation-of-authority.asciidoc | 126 +- ...kspace-bitlocker-setting-disabled.asciidoc | 96 +- ...rkspace-custom-admin-role-created.asciidoc | 129 +- ...m-gmail-route-created-or-modified.asciidoc | 96 +- ...ey-s-accessed-from-anonymous-user.asciidoc | 85 + ...orkspace-mfa-enforcement-disabled.asciidoc | 131 +- ...ess-granted-to-custom-application.asciidoc | 138 ++ ...orkspace-password-policy-modified.asciidoc | 172 +- ...etplace-modified-to-allow-any-app.asciidoc | 107 +- .../google-workspace-role-modified.asciidoc | 131 +- ...ce-suspended-user-account-renewed.asciidoc | 80 + ...-user-organizational-unit-changed.asciidoc | 101 +- ...licy-abuse-for-privilege-addition.asciidoc | 95 +- ...ry-via-microsoft-gpresult-utility.asciidoc | 63 + ...fbaked-command-and-control-beacon.asciidoc | 84 +- ...password-reset-or-unlock-attempts.asciidoc | 115 +- ...ocess-and-or-service-terminations.asciidoc | 91 +- ...gh-number-of-process-terminations.asciidoc | 79 +- ...s-via-windows-subsystem-for-linux.asciidoc | 69 + .../rule-details/hosts-file-modified.asciidoc | 148 +- .../hping-process-activity.asciidoc | 79 +- .../iis-http-logging-disabled.asciidoc | 134 +- ...-file-execution-options-injection.asciidoc | 115 +- ...windows-update-auto-update-client.asciidoc | 87 +- ...to-an-unsecure-elasticsearch-node.asciidoc | 74 +- ...g-dcom-lateral-movement-via-mshta.asciidoc | 126 +- ...ng-dcom-lateral-movement-with-mmc.asciidoc | 101 +- ...hellbrowserwindow-or-shellwindows.asciidoc | 102 +- ...execution-via-powershell-remoting.asciidoc | 90 +- ...-execution-via-winrm-remote-shell.asciidoc | 85 +- ...ingress-transfer-via-windows-bits.asciidoc | 78 + ...allation-of-custom-shim-databases.asciidoc | 80 +- ...tion-of-security-support-provider.asciidoc | 94 +- ...rocess-making-network-connections.asciidoc | 82 +- ...nched-against-a-running-container.asciidoc | 79 + ...ractive-terminal-spawned-via-perl.asciidoc | 67 +- ...ctive-terminal-spawned-via-python.asciidoc | 106 +- ...ipsec-nat-traversal-port-activity.asciidoc | 81 +- ...rberos-cached-credentials-dumping.asciidoc | 63 +- ...-authentication-disabled-for-user.asciidoc | 84 +- ...eros-traffic-from-unusual-process.asciidoc | 201 +- ...load-or-unload-via-kexec-detected.asciidoc | 89 + .../kernel-module-load-via-insmod.asciidoc | 52 +- .../kernel-module-removal.asciidoc | 87 +- ...ssword-retrieval-via-command-line.asciidoc | 82 +- .../krbtgt-delegation-backdoor.asciidoc | 55 +- ...etes-anonymous-request-authorized.asciidoc | 69 +- ...with-excessive-linux-capabilities.asciidoc | 67 +- ...es-denied-service-account-request.asciidoc | 48 +- ...ervice-created-with-type-nodeport.asciidoc | 64 +- ...-with-a-sensitive-hostpath-volume.asciidoc | 108 +- ...bernetes-pod-created-with-hostipc.asciidoc | 69 +- ...etes-pod-created-with-hostnetwork.asciidoc | 69 +- ...bernetes-pod-created-with-hostpid.asciidoc | 69 +- ...kubernetes-privileged-pod-created.asciidoc | 69 +- ...ent-of-controller-service-account.asciidoc | 68 +- ...es-suspicious-self-subject-review.asciidoc | 82 +- .../kubernetes-user-exec-into-pod.asciidoc | 77 +- ...teral-movement-via-startup-folder.asciidoc | 83 +- ...odification-and-immediate-loading.asciidoc | 69 +- ...odification-and-immediate-loading.asciidoc | 78 +- .../linux-group-creation.asciidoc | 118 ++ ...shell-breakout-via-linux-binary-s.asciidoc | 184 ++ ...inux-system-information-discovery.asciidoc | 65 + .../linux-user-account-creation.asciidoc | 117 ++ ...ux-user-added-to-privileged-group.asciidoc | 126 ++ ...count-tokenfilter-policy-disabled.asciidoc | 47 +- .../local-scheduled-task-creation.asciidoc | 198 +- .../lsass-memory-dump-creation.asciidoc | 147 +- .../lsass-memory-dump-handle-access.asciidoc | 144 +- ...ss-process-access-via-windows-api.asciidoc | 65 + ...ller-package-spawns-network-event.asciidoc | 113 +- .../malware-detected-elastic-endgame.asciidoc | 57 +- ...malware-prevented-elastic-endgame.asciidoc | 57 +- ...masquerading-space-after-filename.asciidoc | 45 +- ...for-google-workspace-organization.asciidoc | 139 +- ...change-anti-phish-policy-deletion.asciidoc | 66 +- ...ange-anti-phish-rule-modification.asciidoc | 66 +- ...im-signing-configuration-disabled.asciidoc | 69 +- ...t-365-exchange-dlp-policy-removed.asciidoc | 66 +- ...ge-malware-filter-policy-deletion.asciidoc | 66 +- ...-malware-filter-rule-modification.asciidoc | 66 +- ...-management-group-role-assignment.asciidoc | 66 +- ...nge-safe-attachment-rule-disabled.asciidoc | 66 +- ...xchange-safe-link-policy-disabled.asciidoc | 66 +- ...-exchange-transport-rule-creation.asciidoc | 69 +- ...hange-transport-rule-modification.asciidoc | 66 +- ...lobal-administrator-role-assigned.asciidoc | 61 +- ...ft-365-impossible-travel-activity.asciidoc | 70 + ...365-inbox-forwarding-rule-created.asciidoc | 113 +- ...65-mass-download-by-a-single-user.asciidoc | 66 + ...365-potential-ransomware-activity.asciidoc | 60 +- ...m-application-interaction-allowed.asciidoc | 63 +- ...365-teams-external-access-enabled.asciidoc | 70 +- ...ft-365-teams-guest-access-enabled.asciidoc | 67 +- ...5-unusual-volume-of-file-deletion.asciidoc | 57 +- ...ser-restricted-from-sending-email.asciidoc | 57 +- ...engine-started-an-unusual-process.asciidoc | 105 +- ...ngine-started-by-a-script-process.asciidoc | 111 +- ...ngine-started-by-a-system-process.asciidoc | 107 +- ...-started-by-an-office-application.asciidoc | 162 +- ...ld-engine-using-an-alternate-name.asciidoc | 172 +- ...-um-spawning-suspicious-processes.asciidoc | 76 +- ...erver-um-writing-suspicious-files.asciidoc | 96 +- ...ker-spawning-suspicious-processes.asciidoc | 70 +- ...iis-connection-strings-decryption.asciidoc | 85 +- ...s-service-account-password-dumped.asciidoc | 92 +- ...rosoft-windows-defender-tampering.asciidoc | 251 +-- ...mimikatz-memssp-log-file-detected.asciidoc | 102 +- ...cation-of-amsienable-registry-key.asciidoc | 119 +- ...odification-of-boot-configuration.asciidoc | 142 +- ...-shared-object-inside-a-container.asciidoc | 65 + ...amic-linker-preload-shared-object.asciidoc | 54 +- ...nvironment-variable-via-launchctl.asciidoc | 98 +- .../modification-of-openssh-binaries.asciidoc | 89 +- ...ari-settings-via-defaults-command.asciidoc | 63 +- ...ntication-module-or-configuration.asciidoc | 125 +- ...on-of-the-mspkiaccountcredentials.asciidoc | 41 +- ...tion-of-wdigest-security-provider.asciidoc | 133 +- ...n-okta-application-sign-on-policy.asciidoc | 79 +- ...ng-hidden-or-webdav-remote-shares.asciidoc | 111 +- ...o-security-registry-modifications.asciidoc | 143 +- ...sbuild-making-network-connections.asciidoc | 149 +- ...build-network-connection-sequence.asciidoc | 69 + .../mshta-making-network-connections.asciidoc | 96 +- .../msxsl-making-network-connections.asciidoc | 64 + ...cation-disabled-for-an-azure-user.asciidoc | 94 +- ...t-att-ck-tactics-on-a-single-host.asciidoc | 28 +- .../multiple-alerts-involving-a-user.asciidoc | 45 + ...failure-followed-by-logon-success.asciidoc | 115 +- ...lure-from-the-same-source-address.asciidoc | 117 +- ...ltiple-vault-web-credentials-read.asciidoc | 71 +- .../rule-details/my-first-rule.asciidoc | 72 + ...espace-manipulation-using-unshare.asciidoc | 42 +- ...er-established-inside-a-container.asciidoc | 74 + .../network-connection-via-certutil.asciidoc | 152 +- ...connection-via-compiled-html-file.asciidoc | 184 +- .../network-connection-via-msxsl.asciidoc | 100 +- ...nnection-via-registration-utility.asciidoc | 247 +-- ...work-connection-via-signed-binary.asciidoc | 198 +- ...on-provider-registry-modification.asciidoc | 91 +- ...affic-to-rare-destination-country.asciidoc | 39 +- ...oweddeviceid-added-via-powershell.asciidoc | 86 +- ...new-or-modified-federation-domain.asciidoc | 74 +- ...ted-by-previously-unknown-process.asciidoc | 83 + .../new-systemd-timer-created.asciidoc | 137 ++ .../nping-process-activity.asciidoc | 76 +- .../ntds-or-sam-database-file-copied.asciidoc | 107 +- ...sessionpipe-registry-modification.asciidoc | 68 +- ...orted-by-user-as-malware-or-phish.asciidoc | 61 +- ...ssive-single-sign-on-logon-errors.asciidoc | 69 +- ...spicious-mailbox-right-delegation.asciidoc | 83 +- ...o365-mailbox-audit-logging-bypass.asciidoc | 61 +- ...force-or-password-spraying-attack.asciidoc | 100 +- ...nsight-threat-suspected-promotion.asciidoc | 62 + .../okta-user-session-impersonation.asciidoc | 78 +- .../onedrive-malware-file-upload.asciidoc | 53 +- ...uled-task-activity-via-powershell.asciidoc | 93 +- .../parent-process-pid-spoofing.asciidoc | 126 +- .../peripheral-device-discovery.asciidoc | 113 +- ...on-theft-detected-elastic-endgame.asciidoc | 64 +- ...n-theft-prevented-elastic-endgame.asciidoc | 64 +- ...tence-via-bits-job-notify-cmdline.asciidoc | 63 +- ...ectoryservice-plugin-modification.asciidoc | 45 +- ...-via-docker-shortcut-modification.asciidoc | 59 +- ...sistence-via-folder-action-script.asciidoc | 98 +- ...tence-via-hidden-run-key-detected.asciidoc | 115 +- ...ript-or-desktop-file-modification.asciidoc | 90 +- ...sistence-via-login-or-logout-hook.asciidoc | 81 +- ...tence-via-microsoft-office-addins.asciidoc | 78 +- ...istence-via-microsoft-outlook-vba.asciidoc | 67 +- ...ersistence-via-powershell-profile.asciidoc | 45 +- ...stence-via-scheduled-job-creation.asciidoc | 60 +- ...ycontroller-scheduled-task-hijack.asciidoc | 112 +- ...pdate-orchestrator-service-hijack.asciidoc | 188 +- ...stence-via-wmi-event-subscription.asciidoc | 89 +- ...ia-wmi-standard-registry-provider.asciidoc | 195 +- ...-scripts-in-the-startup-directory.asciidoc | 143 +- .../port-forwarding-rule-addition.asciidoc | 118 +- ...-via-azure-registered-application.asciidoc | 126 +- ...-dga-command-and-control-behavior.asciidoc | 83 +- .../possible-okta-dos-attack.asciidoc | 81 +- ...f-repeated-mfa-push-notifications.asciidoc | 94 +- ...tial-admin-group-account-addition.asciidoc | 50 +- ...n-interface-bypass-via-powershell.asciidoc | 158 ++ ...-application-shimming-via-sdbinst.asciidoc | 109 +- ...ial-code-execution-via-postgresql.asciidoc | 65 + ...and-control-via-internet-explorer.asciidoc | 133 +- ...okies-theft-via-browser-debugging.asciidoc | 86 +- ...tial-credential-access-via-dcsync.asciidoc | 156 +- ...cess-via-duplicatehandle-in-lsass.asciidoc | 80 +- ...tial-access-via-lsass-memory-dump.asciidoc | 96 +- ...cess-via-renamed-com-services-dll.asciidoc | 73 +- ...ess-via-trusted-developer-utility.asciidoc | 166 +- ...tial-access-via-windows-utilities.asciidoc | 197 +- ...otential-cross-site-scripting-xss.asciidoc | 62 + ...tential-defense-evasion-via-proot.asciidoc | 60 + .../potential-disabling-of-selinux.asciidoc | 71 +- ...ft-antimalware-service-executable.asciidoc | 92 +- ...ng-via-trusted-microsoft-programs.asciidoc | 111 +- ...otential-dns-tunneling-via-iodine.asciidoc | 76 +- ...ential-dns-tunneling-via-nslookup.asciidoc | 99 +- ...ential-evasion-via-filter-manager.asciidoc | 152 +- ...otential-exfiltration-via-certreq.asciidoc | 74 + ...al-linux-ssh-brute-force-detected.asciidoc | 118 ++ ...idden-local-user-account-creation.asciidoc | 50 +- ...-hidden-process-via-mount-hidepid.asciidoc | 62 + ...al-linux-ssh-brute-force-detected.asciidoc | 114 ++ ...invoke-mimikatz-powershell-script.asciidoc | 99 +- ...al-java-jndi-exploitation-attempt.asciidoc | 94 +- ...ntial-kerberos-attack-via-bifrost.asciidoc | 70 +- ...teral-tool-transfer-via-smb-share.asciidoc | 121 +- ...ux-backdoor-user-account-creation.asciidoc | 121 ++ ...ntial-dumping-via-proc-filesystem.asciidoc | 75 + ...x-credential-dumping-via-unshadow.asciidoc | 67 + ...ocal-account-brute-force-detected.asciidoc | 64 + ...ransomware-note-creation-detected.asciidoc | 75 + ...tential-local-ntlm-relay-via-http.asciidoc | 70 +- ...-lsa-authentication-package-abuse.asciidoc | 65 +- ...e-creation-via-psscapturesnapshot.asciidoc | 63 +- ...emory-dump-via-psscapturesnapshot.asciidoc | 67 +- ...al-macos-ssh-brute-force-detected.asciidoc | 46 +- ...file-downloaded-from-google-drive.asciidoc | 91 + ...asquerading-as-communication-apps.asciidoc | 101 + ...-microsoft-office-sandbox-evasion.asciidoc | 49 +- ...ication-of-accessibility-binaries.asciidoc | 216 +-- .../potential-network-scan-detected.asciidoc | 72 + .../potential-network-sweep-detected.asciidoc | 72 + ...andard-port-http-https-connection.asciidoc | 83 + ...-non-standard-port-ssh-connection.asciidoc | 46 +- ...openssh-backdoor-logging-activity.asciidoc | 117 +- ...tential-pass-the-hash-pth-attempt.asciidoc | 69 + ...ng-of-microsoft-365-user-accounts.asciidoc | 100 +- ...rsistence-through-init-d-detected.asciidoc | 136 ++ ...rough-motd-file-creation-detected.asciidoc | 130 ++ ...ence-through-run-control-detected.asciidoc | 137 ++ ...via-atom-init-script-modification.asciidoc | 46 +- ...ential-persistence-via-login-hook.asciidoc | 69 +- ...al-persistence-via-periodic-tasks.asciidoc | 50 +- ...ce-via-time-provider-modification.asciidoc | 62 +- ...rint-processor-registration-abuse.asciidoc | 83 +- ...hacktool-script-by-function-names.asciidoc | 255 +++ ...-bypass-via-localhost-secure-copy.asciidoc | 71 +- ...rol-bypass-via-tccdb-modification.asciidoc | 68 +- ...on-through-writable-docker-socket.asciidoc | 66 + ...alation-via-installerfiletakeover.asciidoc | 150 +- ...l-privilege-escalation-via-pkexec.asciidoc | 55 +- ...ion-via-sudoers-file-modification.asciidoc | 48 +- ...ation-via-samaccountname-spoofing.asciidoc | 66 +- ...tial-process-herpaderping-attempt.asciidoc | 74 +- ...a-ld-preload-environment-variable.asciidoc | 112 ++ ...-process-injection-via-powershell.asciidoc | 136 +- ...-protocol-tunneling-via-earthworm.asciidoc | 53 +- ...-pspy-process-monitoring-detected.asciidoc | 93 + ...ote-code-execution-via-web-server.asciidoc | 151 ++ ...te-credential-access-via-registry.asciidoc | 138 +- ...remote-desktop-shadowing-activity.asciidoc | 87 +- ...remote-desktop-tunneling-detected.asciidoc | 123 +- ...verse-shell-activity-via-terminal.asciidoc | 105 +- .../potential-reverse-shell-via-java.asciidoc | 78 + ...verse-shell-via-suspicious-binary.asciidoc | 89 + ...hell-via-suspicious-child-process.asciidoc | 86 + ...ell-via-suspicious-parent-process.asciidoc | 86 + .../potential-reverse-shell.asciidoc | 78 + ...file-deletion-via-sdelete-utility.asciidoc | 112 +- ...ow-credentials-added-to-ad-object.asciidoc | 96 +- ...e-read-via-command-line-utilities.asciidoc | 77 +- .../potential-sharprdp-behavior.asciidoc | 142 +- .../potential-ssh-password-guessing.asciidoc | 67 +- ...x-ftp-brute-force-attack-detected.asciidoc | 94 + ...x-rdp-brute-force-attack-detected.asciidoc | 92 + .../potential-suspicious-file-edit.asciidoc | 112 ++ ...l-syn-based-network-scan-detected.asciidoc | 72 + ...indows-error-manager-masquerading.asciidoc | 130 +- ...owershell-invoke-ninjacopy-script.asciidoc | 143 ++ ...owershell-kerberos-ticket-request.asciidoc | 116 +- .../powershell-keylogging-script.asciidoc | 143 +- ...ershell-mailbox-collection-script.asciidoc | 140 ++ .../powershell-minidump-script.asciidoc | 110 +- .../powershell-psreflect-script.asciidoc | 152 +- ...ell-script-block-logging-disabled.asciidoc | 104 +- ...-archive-compression-capabilities.asciidoc | 98 + ...cript-with-discovery-capabilities.asciidoc | 229 +++ ...ncryption-decryption-capabilities.asciidoc | 122 ++ ...cript-with-log-clear-capabilities.asciidoc | 94 + ...-token-impersonation-capabilities.asciidoc | 84 +- ...wershell-share-enumeration-script.asciidoc | 93 +- ...ery-related-windows-api-functions.asciidoc | 170 +- ...us-payload-encoded-and-compressed.asciidoc | 152 +- ...t-with-audio-capture-capabilities.asciidoc | 127 +- ...-clipboard-retrieval-capabilities.asciidoc | 138 ++ ...ript-with-screenshot-capabilities.asciidoc | 115 +- ...tion-via-named-pipe-impersonation.asciidoc | 124 +- ...ia-rogue-named-pipe-impersonation.asciidoc | 58 +- ...ia-root-crontab-file-modification.asciidoc | 50 +- ...n-via-windir-environment-variable.asciidoc | 73 +- .../privileged-account-brute-force.asciidoc | 97 +- ...n-via-parent-process-pid-spoofing.asciidoc | 79 +- ...s-activity-via-compiled-html-file.asciidoc | 183 +- ...ss-created-with-an-elevated-token.asciidoc | 126 +- ...cess-creation-via-secondary-logon.asciidoc | 77 +- ...scovery-via-built-in-applications.asciidoc | 70 + ...ecution-from-an-unusual-directory.asciidoc | 221 +-- ...ion-by-the-microsoft-build-engine.asciidoc | 65 +- ...njection-detected-elastic-endgame.asciidoc | 64 +- ...jection-prevented-elastic-endgame.asciidoc | 64 +- ...-started-from-process-id-pid-file.asciidoc | 57 +- ...-termination-followed-by-deletion.asciidoc | 172 +- ...gram-files-directory-masquerading.asciidoc | 85 +- ...pt-for-credentials-with-osascript.asciidoc | 69 +- .../psexec-network-connection.asciidoc | 152 +- ...script-execution-via-command-line.asciidoc | 78 + ...nsomware-detected-elastic-endgame.asciidoc | 55 +- ...somware-prevented-elastic-endgame.asciidoc | 55 +- .../rule-details/rare-aws-error-code.asciidoc | 106 +- .../rule-details/rare-user-logon.asciidoc | 84 +- .../rdp-enabled-via-registry.asciidoc | 115 +- ...esktop-protocol-from-the-internet.asciidoc | 166 +- ...istry-persistence-via-appcert-dll.asciidoc | 76 +- ...istry-persistence-via-appinit-dll.asciidoc | 142 +- ...mputer-account-dnshostname-update.asciidoc | 100 +- ...bled-in-windows-firewall-by-netsh.asciidoc | 102 +- .../remote-execution-via-file-shares.asciidoc | 104 +- ...emote-file-copy-to-a-hidden-share.asciidoc | 79 +- .../remote-file-copy-via-teamviewer.asciidoc | 130 +- ...oad-via-desktopimgdownldr-utility.asciidoc | 144 +- ...remote-file-download-via-mpcmdrun.asciidoc | 134 +- ...mote-file-download-via-powershell.asciidoc | 152 +- ...e-download-via-script-interpreter.asciidoc | 123 +- ...llowed-by-scheduled-task-creation.asciidoc | 77 +- .../remote-scheduled-task-creation.asciidoc | 132 +- ...n-enabled-via-systemsetup-command.asciidoc | 71 +- .../remote-system-discovery-commands.asciidoc | 118 +- .../remote-windows-service-installed.asciidoc | 99 +- ...remotely-started-services-via-rpc.asciidoc | 265 +-- ...enamed-autoit-scripts-interpreter.asciidoc | 136 +- ...-executed-with-short-program-name.asciidoc | 123 ++ ...file-downloaded-from-the-internet.asciidoc | 125 +- ...-procedure-call-from-the-internet.asciidoc | 154 +- ...te-procedure-call-to-the-internet.asciidoc | 154 +- ...-task-created-by-a-windows-script.asciidoc | 101 +- ...d-task-execution-at-scale-via-gpo.asciidoc | 114 +- ...cheduled-tasks-at-command-enabled.asciidoc | 97 +- ...le-modified-by-unexpected-process.asciidoc | 86 +- ...or-saved-credentials-via-vaultcmd.asciidoc | 79 +- ...ity-software-discovery-using-wmic.asciidoc | 110 +- ...urity-software-discovery-via-grep.asciidoc | 154 +- ...e-enabled-by-a-suspicious-process.asciidoc | 74 +- ...es-compression-inside-a-container.asciidoc | 107 + .../sensitive-files-compression.asciidoc | 102 +- ...s-searched-for-inside-a-container.asciidoc | 77 + ...ationprivilege-assigned-to-a-user.asciidoc | 93 +- .../service-command-lateral-movement.asciidoc | 93 +- ...ol-spawned-via-script-interpreter.asciidoc | 165 +- ...via-local-kerberos-authentication.asciidoc | 75 +- .../setuid-setgid-bit-set-via-chmod.asciidoc | 130 +- ...ged-by-previously-unknown-process.asciidoc | 68 + .../sharepoint-malware-file-upload.asciidoc | 56 +- ...ell-execution-via-apple-scripting.asciidoc | 64 +- ...oxy-execution-via-ms-work-folders.asciidoc | 96 +- .../sip-provider-modification.asciidoc | 81 +- ...-sharing-activity-to-the-internet.asciidoc | 156 +- .../rule-details/smtp-on-port-26-tcp.asciidoc | 87 +- ...reupdate-preferences-modification.asciidoc | 64 +- ...s-disabling-services-via-registry.asciidoc | 129 +- .../spike-in-aws-error-messages.asciidoc | 109 +- .../spike-in-failed-logon-events.asciidoc | 81 +- .../spike-in-firewall-denies.asciidoc | 39 +- .../spike-in-logon-events.asciidoc | 43 +- ...e-in-network-traffic-to-a-country.asciidoc | 73 +- .../spike-in-network-traffic.asciidoc | 42 +- ...ful-logon-events-from-a-source-ip.asciidoc | 100 + ...authorized-keys-file-modification.asciidoc | 120 +- ...-file-modified-inside-a-container.asciidoc | 85 + ...lished-inside-a-running-container.asciidoc | 83 + ...-launched-from-inside-a-container.asciidoc | 77 + ...-persistence-via-unsigned-process.asciidoc | 152 +- ...ript-added-to-group-policy-object.asciidoc | 113 +- ...-or-run-key-registry-modification.asciidoc | 307 ++- ...rsistence-by-a-suspicious-process.asciidoc | 163 +- ...r-application-script-modification.asciidoc | 85 +- ...eap-based-buffer-overflow-attempt.asciidoc | 51 +- .../sudoers-file-modification.asciidoc | 77 +- ...urst-command-and-control-activity.asciidoc | 178 +- ...us-activity-reported-by-okta-user.asciidoc | 81 +- ...us-antimalware-scan-interface-dll.asciidoc | 133 ++ ...ous-automator-workflows-execution.asciidoc | 47 +- .../suspicious-browser-child-process.asciidoc | 102 +- ...icious-calendar-file-modification.asciidoc | 73 +- .../suspicious-certutil-commands.asciidoc | 176 +- ...obe-acrobat-reader-update-service.asciidoc | 81 +- .../suspicious-cmd-execution-via-wmi.asciidoc | 77 +- ...racted-or-decompressed-via-funzip.asciidoc | 82 + ...-crontab-creation-or-modification.asciidoc | 57 +- ...ta-encryption-via-openssl-utility.asciidoc | 67 + ...rsistence-or-privilege-escalation.asciidoc | 157 +- .../suspicious-emond-child-process.asciidoc | 76 +- ...-endpoint-security-parent-process.asciidoc | 104 +- ...s-execution-from-a-mounted-device.asciidoc | 76 +- ...tion-via-microsoft-office-add-ins.asciidoc | 121 ++ ...ious-execution-via-scheduled-task.asciidoc | 167 +- ...n-via-windows-subsystem-for-linux.asciidoc | 87 + ...suspicious-explorer-child-process.asciidoc | 112 +- ...us-file-changes-activity-detected.asciidoc | 70 + ...e-creation-in-etc-for-persistence.asciidoc | 103 +- ...s-hidden-child-process-of-launchd.asciidoc | 57 +- .../suspicious-html-file-creation.asciidoc | 93 +- ...-load-taskschd-dll-from-ms-office.asciidoc | 76 + ...icious-imagepath-service-creation.asciidoc | 64 +- ...process-communication-via-outlook.asciidoc | 78 + ...l-spawned-from-inside-a-container.asciidoc | 72 + .../suspicious-java-child-process.asciidoc | 107 +- ...ious-lsass-access-via-malseclogon.asciidoc | 64 +- .../suspicious-lsass-process-access.asciidoc | 92 + ...ous-macos-ms-office-child-process.asciidoc | 124 +- ...ious-managed-code-hosting-process.asciidoc | 93 +- ...ft-365-mail-access-by-clientappid.asciidoc | 69 + ...soft-diagnostics-wizard-execution.asciidoc | 112 +- ...ous-mining-process-creation-event.asciidoc | 66 + .../suspicious-modprobe-file-event.asciidoc | 87 + ...suspicious-module-loaded-by-lsass.asciidoc | 137 ++ ...uspicious-ms-office-child-process.asciidoc | 298 +-- ...spicious-ms-outlook-child-process.asciidoc | 204 +- .../suspicious-net-code-compilation.asciidoc | 76 + ...ous-net-reflection-via-powershell.asciidoc | 161 ++ ...-by-previously-unknown-executable.asciidoc | 120 ++ ...etwork-connection-attempt-by-root.asciidoc | 84 +- ...-tool-launched-inside-a-container.asciidoc | 82 + ...spicious-pdf-reader-child-process.asciidoc | 185 +- ...able-encoded-in-powershell-script.asciidoc | 121 +- ...cious-powershell-engine-imageload.asciidoc | 282 +-- .../suspicious-powershell-script.asciidoc | 64 +- ...cious-print-spooler-file-deletion.asciidoc | 61 +- ...print-spooler-point-and-print-dll.asciidoc | 72 +- ...us-print-spooler-spl-file-created.asciidoc | 145 +- ...-service-executable-file-creation.asciidoc | 79 +- ...oc-pseudo-file-system-enumeration.asciidoc | 89 + ...ess-access-via-direct-system-call.asciidoc | 151 +- ...icious-process-creation-calltrace.asciidoc | 135 +- ...ion-via-renamed-psexec-executable.asciidoc | 114 +- ...rocess-spawned-from-motd-detected.asciidoc | 131 ++ ...picious-rdp-activex-client-loaded.asciidoc | 109 +- ...stry-access-via-sebackupprivilege.asciidoc | 113 +- ...suspicious-renaming-of-esxi-files.asciidoc | 66 + ...-renaming-of-esxi-index-html-file.asciidoc | 65 + ...uspicious-script-object-execution.asciidoc | 150 +- ...rvice-was-installed-in-the-system.asciidoc | 96 +- ...spicious-solarwinds-child-process.asciidoc | 108 +- ...startup-shell-folder-modification.asciidoc | 140 +- .../suspicious-sysctl-file-event.asciidoc | 87 + ...-by-previously-unknown-executable.asciidoc | 76 + ...cious-termination-of-esxi-process.asciidoc | 61 + ...suspicious-werfault-child-process.asciidoc | 102 +- ...ous-wmi-image-load-from-ms-office.asciidoc | 95 +- ...picious-wmic-xsl-script-execution.asciidoc | 93 +- .../suspicious-zoom-child-process.asciidoc | 153 +- .../svchost-spawning-cmd.asciidoc | 196 +- ...bolic-link-to-shadow-copy-created.asciidoc | 111 +- .../system-hosts-file-access.asciidoc | 61 + ...scovery-via-windows-command-shell.asciidoc | 77 +- .../system-log-file-deletion.asciidoc | 104 +- ...tem-network-connections-discovery.asciidoc | 61 + ...system-owner-user-discovery-linux.asciidoc | 65 + ...hrough-built-in-windows-utilities.asciidoc | 67 + .../system-shells-via-services.asciidoc | 172 +- .../system-time-discovery.asciidoc | 67 + ...systemkey-access-via-command-line.asciidoc | 58 +- ...ring-of-bash-command-line-history.asciidoc | 117 +- ...-via-mounted-apfs-snapshot-access.asciidoc | 48 +- ...mporarily-scheduled-task-creation.asciidoc | 70 +- ...es-deleted-via-unexpected-process.asciidoc | 113 +- ...threat-intel-hash-indicator-match.asciidoc | 118 ++ ...-intel-ip-address-indicator-match.asciidoc | 117 ++ .../threat-intel-url-indicator-match.asciidoc | 120 ++ ...-windows-registry-indicator-match.asciidoc | 113 ++ .../timestomping-using-touch-command.asciidoc | 83 +- ...nternet-explorer-add-on-installer.asciidoc | 95 +- ...eged-ifileoperation-com-interface.asciidoc | 78 +- ...ia-windows-directory-masquerading.asciidoc | 121 +- ...ademanager-elevated-com-interface.asciidoc | 91 +- ...diskcleanup-scheduled-task-hijack.asciidoc | 93 +- ...icmluautil-elevated-com-interface.asciidoc | 78 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 129 +- ...zed-access-to-an-okta-application.asciidoc | 63 +- ...ommon-registry-persistence-change.asciidoc | 297 +-- ...ocess-of-macos-screensaver-engine.asciidoc | 57 +- .../unsigned-dll-loaded-by-svchost.asciidoc | 152 ++ ...-loading-from-a-suspicious-folder.asciidoc | 152 ++ .../untrusted-driver-loaded.asciidoc | 134 ++ .../unusual-aws-command-for-a-user.asciidoc | 104 +- ...ess-from-a-system-virtual-process.asciidoc | 79 +- .../unusual-child-process-of-dns-exe.asciidoc | 112 ++ ...usual-child-processes-of-rundll32.asciidoc | 85 +- .../unusual-city-for-an-aws-command.asciidoc | 104 +- ...nusual-country-for-an-aws-command.asciidoc | 110 +- .../unusual-dns-activity.asciidoc | 55 +- ...tion-by-a-system-critical-process.asciidoc | 127 +- ...le-creation-alternate-data-stream.asciidoc | 205 +- ...sual-file-modification-by-dns-exe.asciidoc | 82 + .../unusual-hour-for-a-user-to-logon.asciidoc | 70 +- .../unusual-linux-network-activity.asciidoc | 58 +- ...x-network-configuration-discovery.asciidoc | 49 + ...inux-network-connection-discovery.asciidoc | 45 +- ...usual-linux-network-port-activity.asciidoc | 54 +- ...cess-calling-the-metadata-service.asciidoc | 56 +- ...-linux-process-discovery-activity.asciidoc | 45 +- ...em-information-discovery-activity.asciidoc | 45 +- ...user-calling-the-metadata-service.asciidoc | 56 +- ...ual-linux-user-discovery-activity.asciidoc | 49 + .../unusual-linux-username.asciidoc | 69 +- .../unusual-login-activity.asciidoc | 55 +- ...vity-from-a-windows-system-binary.asciidoc | 207 +- ...al-network-connection-via-dllhost.asciidoc | 78 +- ...l-network-connection-via-rundll32.asciidoc | 205 +- ...l-network-destination-domain-name.asciidoc | 45 +- ...unusual-parent-child-relationship.asciidoc | 344 +--- ...nusual-parent-process-for-cmd-exe.asciidoc | 95 + ...persistence-via-services-registry.asciidoc | 112 +- ...usual-print-spooler-child-process.asciidoc | 114 +- ...cution-path-alternate-data-stream.asciidoc | 76 +- .../unusual-process-for-a-linux-host.asciidoc | 113 +- ...nusual-process-for-a-windows-host.asciidoc | 155 +- ...nusual-process-network-connection.asciidoc | 150 +- ...t-child-process-childless-service.asciidoc | 142 +- ...ource-ip-for-a-user-to-logon-from.asciidoc | 43 +- .../unusual-sudo-activity.asciidoc | 47 +- .../rule-details/unusual-web-request.asciidoc | 55 +- .../unusual-web-user-agent.asciidoc | 55 +- .../unusual-windows-network-activity.asciidoc | 63 +- .../unusual-windows-path-activity.asciidoc | 77 +- ...cess-calling-the-metadata-service.asciidoc | 56 +- .../unusual-windows-remote-user.asciidoc | 63 +- .../unusual-windows-service.asciidoc | 61 +- ...user-calling-the-metadata-service.asciidoc | 56 +- ...user-privilege-elevation-activity.asciidoc | 57 +- .../unusual-windows-username.asciidoc | 77 +- .../user-account-creation.asciidoc | 133 +- ...-account-exposed-to-kerberoasting.asciidoc | 103 +- ...ed-as-owner-for-azure-application.asciidoc | 67 +- ...owner-for-azure-service-principal.asciidoc | 69 +- .../user-added-to-privileged-group.asciidoc | 99 +- ...l-machine-fingerprinting-via-grep.asciidoc | 71 +- .../virtual-machine-fingerprinting.asciidoc | 79 +- ...rivate-network-connection-attempt.asciidoc | 59 +- ...twork-computing-from-the-internet.asciidoc | 158 +- ...network-computing-to-the-internet.asciidoc | 156 +- ...y-deleted-or-resized-via-vssadmin.asciidoc | 161 +- ...adow-copy-deletion-via-powershell.asciidoc | 115 +- ...ume-shadow-copy-deletion-via-wmic.asciidoc | 137 +- ...us-activity-post-request-declined.asciidoc | 62 +- ...icious-activity-sqlmap-user-agent.asciidoc | 59 +- ...ious-activity-unauthorized-method.asciidoc | 62 +- ...ess-child-of-common-web-processes.asciidoc | 116 +- .../webproxy-settings-modification.asciidoc | 66 +- .../webserver-access-logs-deleted.asciidoc | 79 +- .../whoami-process-activity.asciidoc | 152 +- ...erability-cve-2020-0601-curveball.asciidoc | 64 +- ...isabled-via-registry-modification.asciidoc | 166 +- ...r-exclusions-added-via-powershell.asciidoc | 131 +- .../windows-event-logs-cleared.asciidoc | 85 +- ...-firewall-disabled-via-powershell.asciidoc | 96 +- .../windows-network-enumeration.asciidoc | 154 +- ...gistry-file-creation-in-smb-share.asciidoc | 100 +- ...ndows-script-executing-powershell.asciidoc | 136 +- ...rpreter-executing-process-via-wmi.asciidoc | 157 +- ...e-installed-via-an-unusual-client.asciidoc | 52 +- ...-for-linux-distribution-installed.asciidoc | 71 + ...or-linux-enabled-via-dism-utility.asciidoc | 66 + ...dows-system-information-discovery.asciidoc | 79 + .../windows-user-account-creation.asciidoc | 69 + ...ntial-dumping-using-netsh-command.asciidoc | 83 +- .../wmi-incoming-lateral-movement.asciidoc | 128 +- .../wpad-service-exploit.asciidoc | 71 + .../zoom-meeting-with-no-passcode.asciidoc | 61 +- 861 files changed, 37991 insertions(+), 47215 deletions(-) create mode 100644 docs/detections/prebuilt-rules/rule-details/account-or-group-discovery-via-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-install-kali-linux-via-wsl.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-credentials-searched-for-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/compression-dll-loaded-by-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/container-management-utility-run-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/container-workload-protection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/cron-job-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/downloaded-shortcut-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/downloaded-url-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumerating-domain-trusts-via-dsquery-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumerating-domain-trusts-via-nltest-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules-via-proc.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-find.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-grep.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-timestomping-using-touch-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/exchange-mailbox-export-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-electron-child-process-node-js-module.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/expired-or-revoked-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/external-user-added-to-google-workspace-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-creation-time-changed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-made-executable-via-chmod-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-commonly-abused-remote-access-tool-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-google-workspace-oauth-login-from-third-party-application.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-removable-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/firsttime-seen-account-performing-dcsync.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/forwarded-google-workspace-security-alert.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-drive-encryption-key-s-accessed-from-anonymous-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-object-copied-from-external-drive-and-access-granted-to-custom-application.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-suspended-user-account-renewed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/group-policy-discovery-via-microsoft-gpresult-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/host-files-system-changes-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ingress-transfer-via-windows-bits.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/interactive-exec-command-launched-against-a-running-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kernel-load-or-unload-via-kexec-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-group-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-linux-binary-s.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-system-information-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-user-added-to-privileged-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-impossible-travel-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/modification-of-dynamic-linker-preload-shared-object-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/msbuild-network-connection-sequence.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/msxsl-making-network-connections.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-alerts-involving-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/my-first-rule.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/netcat-listener-established-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-systemd-service-created-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-systemd-timer-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-threatinsight-threat-suspected-promotion.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-antimalware-scan-interface-bypass-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-code-execution-via-postgresql.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-cross-site-scripting-xss.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-proot.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-exfiltration-via-certreq.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-external-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-hidden-process-via-mount-hidepid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-backdoor-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-proc-filesystem.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-unshadow.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-local-account-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-ransomware-note-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-malicious-file-downloaded-from-google-drive.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-communication-apps.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-sweep-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-non-standard-port-http-https-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-pass-the-hash-pth-attempt.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-init-d-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-motd-file-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-run-control-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-function-names.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-through-writable-docker-socket.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-process-injection-via-ld-preload-environment-variable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-pspy-process-monitoring-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-remote-code-execution-via-web-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-java.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-successful-linux-ftp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-successful-linux-rdp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-suspicious-file-edit.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-syn-based-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-invoke-ninjacopy-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-mailbox-collection-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-archive-compression-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-discovery-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-encryption-decryption-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-log-clear-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-clipboard-retrieval-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-discovery-via-built-in-applications.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/python-script-execution-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/renamed-utility-executed-with-short-program-name.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sensitive-files-compression-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sensitive-keys-or-passwords-searched-for-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-successful-logon-events-from-a-source-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-authorized-keys-file-modified-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-connection-established-inside-a-running-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-process-launched-from-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-antimalware-scan-interface-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-content-extracted-or-decompressed-via-funzip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-data-encryption-via-openssl-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-microsoft-office-add-ins.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-file-changes-activity-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-image-load-taskschd-dll-from-ms-office.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-inter-process-communication-via-outlook.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-interactive-shell-spawned-from-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-lsass-process-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-365-mail-access-by-clientappid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-mining-process-creation-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-modprobe-file-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-module-loaded-by-lsass.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-net-code-compilation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-net-reflection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-tool-launched-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-proc-pseudo-file-system-enumeration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-process-spawned-from-motd-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-index-html-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-sysctl-file-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-termination-of-esxi-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-hosts-file-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-network-connections-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-owner-user-discovery-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-service-discovery-through-built-in-windows-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-time-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-hash-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-ip-address-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-url-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-windows-registry-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-svchost.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/untrusted-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-linux-network-configuration-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-linux-user-discovery-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-parent-process-for-cmd-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-subsystem-for-linux-distribution-installed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-system-information-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index e48b2f475b..f132f1e606 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -4,8 +4,9 @@ This section lists all updates to prebuilt detection rules, made available with the *Prebuilt Security Detection Rules* integration in Fleet. -To download the latest updates, follow the instructions in <> +To update your installed rules to the latest versions, follow the instructions in <>. +For previous rule updates, please navigate to the https://www.elastic.co/guide/en/security/8.7/prebuilt-rules-downloadable-updates.html[last version]. [width="100%",options="header"] |============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 980b406671..49b0bb6a3a 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -14,1450 +14,1720 @@ and their rule type is `machine_learning`. |Rule |Description |Tags |Added |Version -|<> |Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |2 <> +|<> |Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |7 -|<> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |2 <> +|<> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |8 -|<> |An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] [Credential Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Collection] |8.3.0 |104 -|<> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] |7.9.0 |101 <> +|<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |106 -|<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |106 -|<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.3.0 |106 -|<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |106 -|<> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.3.0 |106 -|<> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Impact], [Resources: Investigation Guide] |8.3.0 |106 -|<> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |106 -|<> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.8.0 |1 -|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Impact] |8.3.0 |103 -|<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.9.0 |101 <> +|<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |103 -|<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.14.0 |101 <> +|<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Exfiltration], [Tactic: Collection] |8.3.0 |103 -|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] [Investigation Guide] |7.9.0 |103 <> +|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Resources: Investigation Guide] |8.3.0 |106 -|<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Tactic: Collection] |8.3.0 |103 -|<> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.16.0 |101 <> +|<> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |103 -|<> |Identifies when an ElastiCache security group has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |101 <> +|<> |Identifies when an ElastiCache security group has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |Identifies when an ElastiCache security group has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |101 <> +|<> |Identifies when an ElastiCache security group has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Impact] |7.16.0 |101 <> +|<> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |103 -|<> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Initial Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Initial Access], [Resources: Investigation Guide] |8.3.0 |106 -|<> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.3.0 |106 -|<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |8.3.0 |106 -|<> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Impact] |8.3.0 |106 -|<> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |101 <> +|<> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |103 -|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |101 <> +|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Initial Access] |8.3.0 |103 -|<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Credential Access] [Persistence] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access], [Tactic: Persistence], [Resources: Investigation Guide] |8.3.0 |106 -|<> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] |8.6.0 |1 +|<> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Impact] |8.3.0 |3 -|<> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.10.0 |101 <> +|<> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.3.0 |103 -|<> |Identifies a successful login to the AWS Management Console by the Root user. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies a successful login to the AWS Management Console by the Root user. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |8.3.0 |106 -|<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |7.14.0 |101 <> +|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Impact] |8.3.0 |103 -|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |101 <> +|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |101 <> +|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.3.0 |103 -|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] |7.16.0 |101 <> +|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration] |8.3.0 |103 -|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Defense Evasion] |7.16.0 |101 <> +|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |8.3.0 |101 <> +|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.3.0 |106 -|<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies when an AWS Route Table has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |101 <> +|<> |Identifies when an AWS Route Table has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies when an AWS Route Table has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |101 <> +|<> |Identifies when an AWS Route Table has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.16.0 |101 <> +|<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.3.0 |104 -|<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.3.0 |103 -|<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.15.0 |101 <> +|<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.3.0 |103 -|<> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.3.0 |103 -|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.3.0 |106 -|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.3.0 |103 -|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Elastic] [Host] [Linux] [Threat Detection] [Execution] [BPFDoor] [Investigation Guide] |8.3.0 |102 <> +|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Resources: Investigation Guide], [Data Source: Elastic Endgame] |8.6.0 |207 -|<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Elastic] [Network] [Threat Detection] [Lateral Movement] [Investigation Guide] |7.10.0 |102 <> +|<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Use Case: Vulnerability] |8.3.0 |104 -|<> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control] [Host] [Lateral Movement] [Initial Access] |7.6.0 |101 <> +|<> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Domain: Endpoint], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Lateral Movement], [Tactic: Initial Access] |8.3.0 |103 -|<> |Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.12.0 |100 <> +|<> |Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |103 -|<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.10.0 |100 <> +|<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access] |8.3.0 |103 -|<> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access] [Active Directory] |8.6.0 |1 +|<> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |6 -|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] [Active Directory] [Investigation Guide] |8.2.0 |102 <> +|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |107 -|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [Investigation Guide] |7.7.0 |102 <> +|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Resources: Investigation Guide] |8.3.0 |105 -|<> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.0.0 |101 <> +|<> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |106 -|<> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [Investigation Guide] [Elastic Endgame] |7.11.0 |102 <> +|<> |Adversaries may use built-in applications to get a listing of local system or domain accounts and groups. |[Domain: Endpoint], [OS: Linux], [OS: macOS], [Use Case: Threat Detection], [Tactic: Discovery], [Rule Type: BBR] |8.3.0 |1 -|<