From 016b74586b442f979516b58268455feb73e255c5 Mon Sep 17 00:00:00 2001 From: protectionsmachine <72879786+protectionsmachine@users.noreply.github.com> Date: Thu, 14 Dec 2023 16:57:48 +0000 Subject: [PATCH] Update latest docs --- .../prebuilt-rules-8-12-1-appendix.asciidoc | 6 + .../prebuilt-rules-8-12-1-summary.asciidoc | 12 + ...ebuilt-rules-downloadable-updates.asciidoc | 140 +- .../prebuilt-rules-reference.asciidoc | 2076 +++++++++++------ .../prebuilt-rules/rule-desc-index.asciidoc | 378 ++- .../a-scheduled-task-was-created.asciidoc | 73 +- .../a-scheduled-task-was-updated.asciidoc | 85 +- ...l-process-id-or-lock-file-created.asciidoc | 139 +- .../abnormally-large-dns-response.asciidoc | 99 +- ...ed-default-telnet-port-connection.asciidoc | 114 +- ...ess-of-stored-browser-credentials.asciidoc | 108 +- ...ess-to-a-sensitive-ldap-attribute.asciidoc | 102 +- ...-keychain-credentials-directories.asciidoc | 149 +- .../accessing-outlook-data-files.asciidoc | 65 + ...ured-with-never-expiring-password.asciidoc | 84 +- ...covery-command-via-system-account.asciidoc | 191 +- ...roup-discovery-via-built-in-tools.asciidoc | 87 + .../account-password-reset-remotely.asciidoc | 130 +- ...-hidden-file-attribute-via-attrib.asciidoc | 178 +- .../adfind-command-activity.asciidoc | 176 +- ...vileges-assigned-to-an-okta-group.asciidoc | 71 +- ...tor-role-assigned-to-an-okta-user.asciidoc | 62 +- .../adminsdholder-backdoor.asciidoc | 62 +- ...insdholder-sdprop-exclusion-added.asciidoc | 112 +- .../adobe-hijack-persistence.asciidoc | 167 +- ...behavior-detected-elastic-endgame.asciidoc | 63 +- ...gent-spoofing-mismatched-agent-id.asciidoc | 43 +- ...g-multiple-hosts-using-same-agent.asciidoc | 40 +- ...anomalous-linux-compiler-activity.asciidoc | 56 +- ...us-process-for-a-linux-population.asciidoc | 114 +- ...-process-for-a-windows-population.asciidoc | 149 +- ...nomalous-windows-process-creation.asciidoc | 125 +- ...on-followed-by-network-connection.asciidoc | 88 +- ...ion-with-administrator-privileges.asciidoc | 62 +- ...-added-to-google-workspace-domain.asciidoc | 128 +- ...rom-blocklist-in-google-workspace.asciidoc | 104 +- ...chive-file-with-unusual-extension.asciidoc | 83 + .../at-exe-command-lateral-movement.asciidoc | 76 + ...tempt-to-clear-kernel-ring-buffer.asciidoc | 72 + .../attempt-to-create-okta-api-token.asciidoc | 72 +- ...to-deactivate-an-okta-application.asciidoc | 91 +- ...o-deactivate-an-okta-network-zone.asciidoc | 93 +- ...to-deactivate-an-okta-policy-rule.asciidoc | 111 +- ...empt-to-deactivate-an-okta-policy.asciidoc | 111 +- ...vate-mfa-for-an-okta-user-account.asciidoc | 71 +- ...mpt-to-delete-an-okta-application.asciidoc | 64 +- ...pt-to-delete-an-okta-network-zone.asciidoc | 93 +- ...mpt-to-delete-an-okta-policy-rule.asciidoc | 100 +- .../attempt-to-delete-an-okta-policy.asciidoc | 111 +- .../attempt-to-disable-gatekeeper.asciidoc | 56 +- ...t-to-disable-iptables-or-firewall.asciidoc | 78 + ...attempt-to-disable-syslog-service.asciidoc | 84 +- ...ttempt-to-enable-the-root-account.asciidoc | 51 +- ...mpt-to-install-kali-linux-via-wsl.asciidoc | 72 + ...tempt-to-install-root-certificate.asciidoc | 64 +- ...mpt-to-modify-an-okta-application.asciidoc | 64 +- ...pt-to-modify-an-okta-network-zone.asciidoc | 124 +- ...mpt-to-modify-an-okta-policy-rule.asciidoc | 118 +- .../attempt-to-modify-an-okta-policy.asciidoc | 102 +- ...-mount-smb-share-via-command-line.asciidoc | 81 +- ...-remove-file-quarantine-attribute.asciidoc | 93 +- ...-factors-for-an-okta-user-account.asciidoc | 71 +- .../attempt-to-revoke-okta-api-token.asciidoc | 94 +- ...ndpoint-security-kernel-extension.asciidoc | 57 +- .../attempted-bypass-of-okta-mfa.asciidoc | 105 +- .../attempted-private-key-access.asciidoc | 72 + ...orce-a-microsoft-365-user-account.asciidoc | 109 +- ...-brute-force-an-okta-user-account.asciidoc | 98 +- ...authorization-plugin-modification.asciidoc | 62 +- .../aws-cloudtrail-log-created.asciidoc | 78 +- .../aws-cloudtrail-log-deleted.asciidoc | 114 +- .../aws-cloudtrail-log-suspended.asciidoc | 111 +- .../aws-cloudtrail-log-updated.asciidoc | 115 +- .../aws-cloudwatch-alarm-deletion.asciidoc | 103 +- ...aws-cloudwatch-log-group-deletion.asciidoc | 117 +- ...ws-cloudwatch-log-stream-deletion.asciidoc | 117 +- .../aws-config-resource-deletion.asciidoc | 116 +- ...ws-configuration-recorder-stopped.asciidoc | 79 +- ...s-searched-for-inside-a-container.asciidoc | 70 + ...letion-of-rds-instance-or-cluster.asciidoc | 97 +- .../aws-ec2-encryption-disabled.asciidoc | 79 +- ...l-network-packet-capture-detected.asciidoc | 71 +- ...work-access-control-list-creation.asciidoc | 80 +- ...work-access-control-list-deletion.asciidoc | 84 +- .../aws-ec2-snapshot-activity.asciidoc | 101 +- .../aws-ec2-vm-export-failure.asciidoc | 58 +- ...-efs-file-system-or-mount-deleted.asciidoc | 70 +- ...lasticache-security-group-created.asciidoc | 69 +- ...ecurity-group-modified-or-deleted.asciidoc | 74 +- ...ntbridge-rule-disabled-or-deleted.asciidoc | 69 +- .../aws-execution-via-system-manager.asciidoc | 111 +- .../aws-guardduty-detector-deletion.asciidoc | 82 +- ...aws-iam-assume-role-policy-update.asciidoc | 102 +- ...brute-force-of-assume-role-policy.asciidoc | 111 +- ...ws-iam-deactivation-of-mfa-device.asciidoc | 97 +- .../aws-iam-group-creation.asciidoc | 82 +- .../aws-iam-group-deletion.asciidoc | 74 +- ...s-iam-password-recovery-requested.asciidoc | 75 +- .../aws-iam-user-addition-to-group.asciidoc | 103 +- ...isabled-or-scheduled-for-deletion.asciidoc | 41 +- ...brute-force-of-root-user-identity.asciidoc | 61 +- ...aws-management-console-root-login.asciidoc | 100 +- .../aws-rds-cluster-creation.asciidoc | 82 +- ...aws-rds-instance-cluster-stoppage.asciidoc | 74 +- .../aws-rds-instance-creation.asciidoc | 62 +- .../aws-rds-security-group-creation.asciidoc | 64 +- .../aws-rds-security-group-deletion.asciidoc | 60 +- .../aws-rds-snapshot-export.asciidoc | 56 +- .../aws-rds-snapshot-restored.asciidoc | 68 +- .../aws-redshift-cluster-creation.asciidoc | 55 +- .../aws-root-login-without-mfa.asciidoc | 106 +- ...-53-domain-transfer-lock-disabled.asciidoc | 57 +- ...in-transferred-to-another-account.asciidoc | 58 +- .../aws-route-table-created.asciidoc | 71 +- ...s-route-table-modified-or-deleted.asciidoc | 65 +- ...hosted-zone-associated-with-a-vpc.asciidoc | 61 +- ...-s3-bucket-configuration-deletion.asciidoc | 82 +- .../rule-details/aws-saml-activity.asciidoc | 70 +- ...up-configuration-change-detection.asciidoc | 93 +- ...oken-service-sts-assumerole-usage.asciidoc | 76 +- .../aws-sts-getsessiontoken-abuse.asciidoc | 69 +- .../aws-vpc-flow-logs-deletion.asciidoc | 111 +- ...-waf-access-control-list-deletion.asciidoc | 82 +- ...s-waf-rule-or-rule-group-deletion.asciidoc | 92 +- ...ctive-directory-high-risk-sign-in.asciidoc | 85 +- ...-high-risk-user-sign-in-heuristic.asciidoc | 72 +- ...tive-directory-powershell-sign-in.asciidoc | 98 +- ...lobal-administrator-role-assigned.asciidoc | 63 +- ...pression-rule-created-or-modified.asciidoc | 65 +- ...plication-credential-modification.asciidoc | 67 +- .../azure-automation-account-created.asciidoc | 80 +- ...ation-runbook-created-or-modified.asciidoc | 87 +- .../azure-automation-runbook-deleted.asciidoc | 95 +- .../azure-automation-webhook-created.asciidoc | 83 +- ...ntainer-access-level-modification.asciidoc | 82 +- ...ure-blob-permissions-modification.asciidoc | 71 +- ...mand-execution-on-virtual-machine.asciidoc | 80 +- ...onditional-access-policy-modified.asciidoc | 82 +- ...zure-diagnostic-settings-deletion.asciidoc | 83 +- ...orization-rule-created-or-updated.asciidoc | 84 +- .../azure-event-hub-deletion.asciidoc | 87 +- ...re-external-guest-user-invitation.asciidoc | 77 +- .../azure-firewall-policy-deletion.asciidoc | 86 +- ...ation-firewall-waf-policy-deleted.asciidoc | 61 +- ...l-network-packet-capture-detected.asciidoc | 70 +- ...strator-role-addition-to-pim-user.asciidoc | 87 +- .../azure-key-vault-modified.asciidoc | 83 +- .../azure-kubernetes-events-deleted.asciidoc | 75 +- .../azure-kubernetes-pods-deleted.asciidoc | 66 +- ...e-kubernetes-rolebindings-created.asciidoc | 66 +- .../azure-network-watcher-deletion.asciidoc | 86 +- ...identity-management-role-modified.asciidoc | 98 +- .../azure-resource-group-deletion.asciidoc | 86 +- .../azure-service-principal-addition.asciidoc | 95 +- ...rvice-principal-credentials-added.asciidoc | 63 +- ...e-storage-account-key-regenerated.asciidoc | 80 +- ...etwork-device-modified-or-deleted.asciidoc | 108 +- ...base32-encoding-decoding-activity.asciidoc | 76 +- .../bash-shell-profile-modification.asciidoc | 81 +- .../binary-content-copy-via-cmd-exe.asciidoc | 76 + ...uted-from-shared-memory-directory.asciidoc | 77 +- .../rule-details/bitsadmin-activity.asciidoc | 86 + .../bpf-filter-applied-using-tc.asciidoc | 54 +- .../browser-extension-install.asciidoc | 72 + .../bypass-uac-via-event-viewer.asciidoc | 197 +- .../bypass-uac-via-sdclt.asciidoc | 92 + .../chkconfig-service-add.asciidoc | 144 +- .../clearing-windows-console-history.asciidoc | 125 +- .../clearing-windows-event-logs.asciidoc | 185 +- ...strike-command-and-control-beacon.asciidoc | 85 +- ...dification-through-built-in-tools.asciidoc | 125 + ...icy-modification-through-registry.asciidoc | 132 ++ ...-execution-via-solarwinds-process.asciidoc | 110 +- ...command-prompt-network-connection.asciidoc | 173 +- ...ell-activity-started-via-rundll32.asciidoc | 119 +- .../component-object-model-hijacking.asciidoc | 277 +-- ...ion-dll-loaded-by-unusual-process.asciidoc | 77 + ...wned-by-suspicious-parent-process.asciidoc | 150 +- ...ed-free-ssl-certificate-providers.asciidoc | 98 +- ...n-to-commonly-abused-web-services.asciidoc | 396 ++-- ...on-to-external-network-via-telnet.asciidoc | 102 +- ...on-to-internal-network-via-telnet.asciidoc | 102 +- ...nt-utility-run-inside-a-container.asciidoc | 60 + .../container-workload-protection.asciidoc | 45 + ...el-process-with-unusual-arguments.asciidoc | 112 +- ...on-of-a-hidden-local-user-account.asciidoc | 84 +- ...s-and-directories-via-commandline.asciidoc | 102 +- ...-of-hidden-launch-agent-or-daemon.asciidoc | 90 +- ...idden-login-item-via-apple-script.asciidoc | 69 +- ...tion-of-hidden-shared-object-file.asciidoc | 59 +- .../creation-of-kernel-module.asciidoc | 66 + ...eation-of-settingcontent-ms-files.asciidoc | 79 + ...new-gpo-scheduled-task-or-service.asciidoc | 111 +- ...f-domain-backup-dpapi-private-key.asciidoc | 90 +- ...-modification-of-root-certificate.asciidoc | 178 +- ...isition-via-registry-hive-dumping.asciidoc | 136 +- ...-dumping-detected-elastic-endgame.asciidoc | 66 +- ...dumping-prevented-elastic-endgame.asciidoc | 66 +- ...pulation-detected-elastic-endgame.asciidoc | 64 +- ...ulation-prevented-elastic-endgame.asciidoc | 64 +- ...ged-by-previously-unknown-process.asciidoc | 174 ++ ...-privileged-access-security-error.asciidoc | 52 +- ...cess-security-recommended-monitor.asciidoc | 60 +- ...lt-strike-team-server-certificate.asciidoc | 89 +- .../delayed-execution-via-ping.asciidoc | 149 ++ ...te-volume-usn-journal-with-fsutil.asciidoc | 147 +- ...ting-backup-catalogs-with-wbadmin.asciidoc | 138 +- ...ell-via-suspicious-parent-process.asciidoc | 95 + .../direct-outbound-smb-connection.asciidoc | 180 +- ...ecurity-logs-using-built-in-tools.asciidoc | 148 +- ...-windows-firewall-rules-via-netsh.asciidoc | 140 +- ...control-via-registry-modification.asciidoc | 139 +- ...-security-settings-via-powershell.asciidoc | 124 +- .../discovery-of-domain-groups.asciidoc | 64 + ...t-capabilities-via-built-in-tools.asciidoc | 66 + ...s-over-https-enabled-via-registry.asciidoc | 79 +- .../rule-details/dns-tunneling.asciidoc | 51 +- ...-google-workspace-trusted-domains.asciidoc | 129 +- .../downloaded-shortcut-files.asciidoc | 80 + .../downloaded-url-files.asciidoc | 77 + ...ount-hashes-via-built-in-commands.asciidoc | 48 +- ...hain-content-via-security-command.asciidoc | 60 +- .../rule-details/dynamic-linker-copy.asciidoc | 56 +- .../eggshell-backdoor-execution.asciidoc | 51 +- .../elastic-agent-service-terminated.asciidoc | 121 +- ...nd-rules-creation-or-modification.asciidoc | 71 +- ...-host-network-discovery-via-netsh.asciidoc | 93 +- ...executable-stored-in-the-registry.asciidoc | 66 +- ...ncrypting-files-with-winrar-or-7z.asciidoc | 145 +- .../rule-details/endpoint-security.asciidoc | 37 +- ...ing-domain-trusts-via-dsquery-exe.asciidoc | 111 + ...ting-domain-trusts-via-nltest-exe.asciidoc | 116 + ...tion-command-spawned-via-wmiprvse.asciidoc | 132 +- ...eration-of-administrator-accounts.asciidoc | 151 +- ...ration-of-kernel-modules-via-proc.asciidoc | 59 + .../enumeration-of-kernel-modules.asciidoc | 74 +- ...rivileged-local-groups-membership.asciidoc | 241 +- ...s-or-groups-via-built-in-commands.asciidoc | 146 +- .../esxi-discovery-via-find.asciidoc | 62 + .../esxi-discovery-via-grep.asciidoc | 63 + ...-timestomping-using-touch-command.asciidoc | 66 + ...nge-mailbox-export-via-powershell.asciidoc | 128 + ...creation-with-multiple-extensions.asciidoc | 103 +- ...table-file-with-unusual-extension.asciidoc | 80 + ...ble-media-with-network-connection.asciidoc | 68 + ...om-unusual-directory-command-line.asciidoc | 523 ++--- .../execution-of-an-unsigned-service.asciidoc | 79 + ...ecution-of-com-object-via-xwizard.asciidoc | 84 +- ...n-or-modified-by-microsoft-office.asciidoc | 137 +- ...written-or-modified-by-pdf-reader.asciidoc | 137 +- ...-of-persistent-suspicious-program.asciidoc | 102 +- ...tron-child-process-node-js-module.asciidoc | 72 + ...ution-via-local-sxs-shared-module.asciidoc | 67 +- ...a-microsoft-dotnet-clickonce-host.asciidoc | 71 + ...isualstudio-pre-post-build-events.asciidoc | 108 + ...ssql-xp-cmdshell-stored-procedure.asciidoc | 134 ++ ...execution-via-tsclient-mountpoint.asciidoc | 73 +- ...n-via-windows-subsystem-for-linux.asciidoc | 78 + ...xplicit-credentials-via-scripting.asciidoc | 85 +- .../expired-or-revoked-driver-loaded.asciidoc | 75 + .../exploit-detected-elastic-endgame.asciidoc | 66 +- ...exploit-prevented-elastic-endgame.asciidoc | 66 +- ...g-exchange-mailbox-via-powershell.asciidoc | 148 +- .../rule-details/external-alerts.asciidoc | 55 +- ...p-lookup-from-non-browser-process.asciidoc | 214 +- ...r-added-to-google-workspace-group.asciidoc | 127 + ...irectory-permissions-modification.asciidoc | 70 + ...ed-or-archived-into-common-format.asciidoc | 131 ++ ...-deletion-in-suspicious-directory.asciidoc | 72 + .../file-creation-time-changed.asciidoc | 80 + .../file-deletion-via-shred.asciidoc | 76 +- ...able-via-chmod-inside-a-container.asciidoc | 76 + .../file-made-immutable-by-chattr.asciidoc | 56 +- ...ile-or-directory-deletion-command.asciidoc | 78 + ...odification-in-writable-directory.asciidoc | 73 +- ...ged-in-root-folder-of-recycle-bin.asciidoc | 67 + ...r-listener-established-via-netcat.asciidoc | 173 +- ...h-suspicious-extension-downloaded.asciidoc | 87 + ...ync-plugin-registered-and-enabled.asciidoc | 90 +- ...ta-user-session-started-via-proxy.asciidoc | 97 + ...value-accessed-in-secrets-manager.asciidoc | 119 + ...used-remote-access-tool-execution.asciidoc | 126 + .../first-time-seen-driver-loaded.asciidoc | 144 ++ ...ogin-from-third-party-application.asciidoc | 97 + ...seen-newcredentials-logon-process.asciidoc | 66 + .../first-time-seen-removable-device.asciidoc | 79 + ...me-seen-account-performing-dcsync.asciidoc | 136 ++ ...d-google-workspace-security-alert.asciidoc | 61 + ...er-mode-dumps-enabled-system-wide.asciidoc | 45 +- .../gcp-firewall-rule-creation.asciidoc | 80 +- .../gcp-firewall-rule-deletion.asciidoc | 80 +- .../gcp-firewall-rule-modification.asciidoc | 80 +- .../gcp-iam-custom-role-creation.asciidoc | 85 +- .../gcp-iam-role-deletion.asciidoc | 83 +- ...-iam-service-account-key-deletion.asciidoc | 86 +- .../gcp-logging-bucket-deletion.asciidoc | 89 +- .../gcp-logging-sink-deletion.asciidoc | 86 +- .../gcp-logging-sink-modification.asciidoc | 83 +- ...gcp-pub-sub-subscription-creation.asciidoc | 88 +- ...gcp-pub-sub-subscription-deletion.asciidoc | 86 +- .../gcp-pub-sub-topic-creation.asciidoc | 88 +- .../gcp-pub-sub-topic-deletion.asciidoc | 86 +- .../gcp-service-account-creation.asciidoc | 83 +- .../gcp-service-account-deletion.asciidoc | 83 +- .../gcp-service-account-disabled.asciidoc | 83 +- .../gcp-service-account-key-creation.asciidoc | 83 +- ...bucket-configuration-modification.asciidoc | 87 +- .../gcp-storage-bucket-deletion.asciidoc | 85 +- ...e-bucket-permissions-modification.asciidoc | 86 +- ...al-private-cloud-network-deletion.asciidoc | 85 +- ...tual-private-cloud-route-creation.asciidoc | 98 +- ...tual-private-cloud-route-deletion.asciidoc | 85 +- ...github-owner-role-granted-to-user.asciidoc | 62 + ...protected-branch-settings-changed.asciidoc | 63 + .../github-repository-deleted.asciidoc | 58 + ...-transferred-via-google-workspace.asciidoc | 95 +- ...gle-workspace-2sv-policy-disabled.asciidoc | 91 +- ...ace-admin-role-assigned-to-a-user.asciidoc | 143 +- ...gle-workspace-admin-role-deletion.asciidoc | 125 +- ...main-wide-delegation-of-authority.asciidoc | 126 +- ...kspace-bitlocker-setting-disabled.asciidoc | 96 +- ...rkspace-custom-admin-role-created.asciidoc | 129 +- ...m-gmail-route-created-or-modified.asciidoc | 96 +- ...ey-s-accessed-from-anonymous-user.asciidoc | 85 + ...orkspace-mfa-enforcement-disabled.asciidoc | 131 +- ...ess-granted-to-custom-application.asciidoc | 138 ++ ...orkspace-password-policy-modified.asciidoc | 172 +- ...etplace-modified-to-allow-any-app.asciidoc | 107 +- .../google-workspace-role-modified.asciidoc | 131 +- ...ce-suspended-user-account-renewed.asciidoc | 80 + ...-user-organizational-unit-changed.asciidoc | 101 +- ...licy-abuse-for-privilege-addition.asciidoc | 97 +- ...ry-via-microsoft-gpresult-utility.asciidoc | 101 + ...fbaked-command-and-control-beacon.asciidoc | 85 +- ...s-and-directories-via-hidden-flag.asciidoc | 65 + ...ocess-arguments-in-an-rdp-session.asciidoc | 52 + ...high-mean-of-rdp-session-duration.asciidoc | 52 + ...password-reset-or-unlock-attempts.asciidoc | 114 +- ...ocess-and-or-service-terminations.asciidoc | 93 +- ...gh-number-of-process-terminations.asciidoc | 81 +- ...-variance-in-rdp-session-duration.asciidoc | 52 + ...s-via-windows-subsystem-for-linux.asciidoc | 70 + .../rule-details/hosts-file-modified.asciidoc | 153 +- .../hping-process-activity.asciidoc | 87 +- .../iis-http-logging-disabled.asciidoc | 135 +- ...-file-execution-options-injection.asciidoc | 125 +- ...age-loaded-with-invalid-signature.asciidoc | 70 + ...windows-update-auto-update-client.asciidoc | 139 +- ...to-an-unsecure-elasticsearch-node.asciidoc | 76 +- ...g-dcom-lateral-movement-via-mshta.asciidoc | 127 +- ...ng-dcom-lateral-movement-with-mmc.asciidoc | 115 +- ...hellbrowserwindow-or-shellwindows.asciidoc | 103 +- ...execution-via-powershell-remoting.asciidoc | 104 +- ...-execution-via-winrm-remote-shell.asciidoc | 86 +- ...and-execution-via-forfiles-pcalua.asciidoc | 61 + ...ingress-transfer-via-windows-bits.asciidoc | 84 + ...allation-of-custom-shim-databases.asciidoc | 81 +- ...tion-of-security-support-provider.asciidoc | 108 +- .../installutil-activity.asciidoc | 65 + ...rocess-making-network-connections.asciidoc | 83 +- ...nched-against-a-running-container.asciidoc | 79 + ...ctive-logon-by-an-unusual-process.asciidoc | 79 + ...ractive-terminal-spawned-via-perl.asciidoc | 68 +- ...ctive-terminal-spawned-via-python.asciidoc | 107 +- ...ipsec-nat-traversal-port-activity.asciidoc | 80 +- ...rberos-cached-credentials-dumping.asciidoc | 65 +- ...-authentication-disabled-for-user.asciidoc | 108 +- ...eros-traffic-from-unusual-process.asciidoc | 219 +- .../rule-details/kernel-driver-load.asciidoc | 74 + ...load-or-unload-via-kexec-detected.asciidoc | 90 + .../kernel-module-load-via-insmod.asciidoc | 55 +- .../kernel-module-removal.asciidoc | 93 +- ...ssword-retrieval-via-command-line.asciidoc | 90 +- .../rule-details/kirbi-file-creation.asciidoc | 64 + .../krbtgt-delegation-backdoor.asciidoc | 59 +- ...etes-anonymous-request-authorized.asciidoc | 69 +- ...with-excessive-linux-capabilities.asciidoc | 67 +- ...es-denied-service-account-request.asciidoc | 48 +- ...ervice-created-with-type-nodeport.asciidoc | 64 +- ...-with-a-sensitive-hostpath-volume.asciidoc | 108 +- ...bernetes-pod-created-with-hostipc.asciidoc | 69 +- ...etes-pod-created-with-hostnetwork.asciidoc | 69 +- ...bernetes-pod-created-with-hostpid.asciidoc | 69 +- ...kubernetes-privileged-pod-created.asciidoc | 69 +- ...ent-of-controller-service-account.asciidoc | 68 +- ...es-suspicious-self-subject-review.asciidoc | 82 +- .../kubernetes-user-exec-into-pod.asciidoc | 77 +- ...teral-movement-via-startup-folder.asciidoc | 88 +- ...odification-and-immediate-loading.asciidoc | 71 +- ...odification-and-immediate-loading.asciidoc | 80 +- .../linux-group-creation.asciidoc | 119 + ...ux-init-pid-1-secret-dump-via-gdb.asciidoc | 67 + ...shell-breakout-via-linux-binary-s.asciidoc | 193 ++ .../linux-secret-dumping-via-gdb.asciidoc | 70 + ...inux-system-information-discovery.asciidoc | 66 + .../linux-user-account-creation.asciidoc | 118 + ...ux-user-added-to-privileged-group.asciidoc | 128 + ...count-tokenfilter-policy-disabled.asciidoc | 64 +- .../local-scheduled-task-creation.asciidoc | 199 +- .../lsass-memory-dump-creation.asciidoc | 168 +- .../lsass-memory-dump-handle-access.asciidoc | 172 +- ...ss-process-access-via-windows-api.asciidoc | 116 + ...uest-predicted-to-be-a-dga-domain.asciidoc | 70 + ...with-a-high-dga-probability-score.asciidoc | 70 + ...redicted-to-be-malicious-activity.asciidoc | 70 + ...-high-malicious-probability-score.asciidoc | 71 + ...using-a-known-sunburst-dns-domain.asciidoc | 70 + ...ller-package-spawns-network-event.asciidoc | 114 +- .../malicious-remote-file-creation.asciidoc | 63 + .../malware-detected-elastic-endgame.asciidoc | 57 +- ...malware-prevented-elastic-endgame.asciidoc | 57 +- ...masquerading-space-after-filename.asciidoc | 50 +- ...-dump-file-with-unusual-extension.asciidoc | 86 + ...for-google-workspace-organization.asciidoc | 139 +- ...change-anti-phish-policy-deletion.asciidoc | 66 +- ...ange-anti-phish-rule-modification.asciidoc | 66 +- ...im-signing-configuration-disabled.asciidoc | 69 +- ...t-365-exchange-dlp-policy-removed.asciidoc | 66 +- ...ge-malware-filter-policy-deletion.asciidoc | 66 +- ...-malware-filter-rule-modification.asciidoc | 66 +- ...-management-group-role-assignment.asciidoc | 66 +- ...nge-safe-attachment-rule-disabled.asciidoc | 66 +- ...xchange-safe-link-policy-disabled.asciidoc | 66 +- ...-exchange-transport-rule-creation.asciidoc | 69 +- ...hange-transport-rule-modification.asciidoc | 66 +- ...lobal-administrator-role-assigned.asciidoc | 61 +- ...ft-365-impossible-travel-activity.asciidoc | 70 + ...365-inbox-forwarding-rule-created.asciidoc | 113 +- ...65-mass-download-by-a-single-user.asciidoc | 66 + ...365-potential-ransomware-activity.asciidoc | 60 +- ...m-application-interaction-allowed.asciidoc | 63 +- ...365-teams-external-access-enabled.asciidoc | 70 +- ...ft-365-teams-guest-access-enabled.asciidoc | 67 +- ...5-unusual-volume-of-file-deletion.asciidoc | 57 +- ...ser-restricted-from-sending-email.asciidoc | 57 +- ...engine-started-an-unusual-process.asciidoc | 122 +- ...ngine-started-by-a-script-process.asciidoc | 138 +- ...ngine-started-by-a-system-process.asciidoc | 115 +- ...-started-by-an-office-application.asciidoc | 166 +- ...ld-engine-using-an-alternate-name.asciidoc | 176 +- ...-um-spawning-suspicious-processes.asciidoc | 92 +- ...erver-um-writing-suspicious-files.asciidoc | 109 +- ...ge-transport-agent-install-script.asciidoc | 83 + ...ker-spawning-suspicious-processes.asciidoc | 92 +- ...iis-connection-strings-decryption.asciidoc | 90 +- ...s-service-account-password-dumped.asciidoc | 97 +- ...rosoft-windows-defender-tampering.asciidoc | 258 +- ...mimikatz-memssp-log-file-detected.asciidoc | 105 +- ...cation-of-amsienable-registry-key.asciidoc | 126 +- ...odification-of-boot-configuration.asciidoc | 145 +- ...-shared-object-inside-a-container.asciidoc | 65 + ...amic-linker-preload-shared-object.asciidoc | 57 +- ...nvironment-variable-via-launchctl.asciidoc | 100 +- .../modification-of-openssh-binaries.asciidoc | 91 +- ...ari-settings-via-defaults-command.asciidoc | 65 +- ...ntication-module-or-configuration.asciidoc | 126 +- ...on-of-the-mspkiaccountcredentials.asciidoc | 45 +- ...tion-of-wdigest-security-provider.asciidoc | 136 +- ...n-okta-application-sign-on-policy.asciidoc | 78 +- .../rule-details/mofcomp-activity.asciidoc | 74 + ...ng-hidden-or-webdav-remote-shares.asciidoc | 116 +- ...o-security-registry-modifications.asciidoc | 146 +- ...sbuild-making-network-connections.asciidoc | 154 +- .../mshta-making-network-connections.asciidoc | 97 +- ...cation-disabled-for-an-azure-user.asciidoc | 94 +- ...t-att-ck-tactics-on-a-single-host.asciidoc | 28 +- .../multiple-alerts-involving-a-user.asciidoc | 45 + ...failure-followed-by-logon-success.asciidoc | 123 +- ...lure-from-the-same-source-address.asciidoc | 123 +- ...dresses-for-a-single-user-session.asciidoc | 77 + ...ssions-detected-for-a-single-user.asciidoc | 76 + ...-device-token-hash-behind-a-proxy.asciidoc | 126 + ...ltiple-vault-web-credentials-read.asciidoc | 69 +- .../rule-details/my-first-rule.asciidoc | 72 + ...espace-manipulation-using-unshare.asciidoc | 43 +- ...er-established-inside-a-container.asciidoc | 74 + ...t-listener-established-via-rlwrap.asciidoc | 66 + .../rule-details/netsh-helper-dll.asciidoc | 78 + ...network-activity-detected-via-cat.asciidoc | 67 + ...ork-activity-detected-via-kworker.asciidoc | 76 + .../network-connection-via-certutil.asciidoc | 160 +- ...connection-via-compiled-html-file.asciidoc | 191 +- .../network-connection-via-msxsl.asciidoc | 101 +- ...-via-recently-compiled-executable.asciidoc | 76 + ...nnection-via-registration-utility.asciidoc | 259 +- ...work-connection-via-signed-binary.asciidoc | 209 +- ...level-authentication-nla-disabled.asciidoc | 72 + ...on-provider-registry-modification.asciidoc | 98 +- ...affic-to-rare-destination-country.asciidoc | 39 +- ...oweddeviceid-added-via-powershell.asciidoc | 106 +- .../new-github-app-installed.asciidoc | 58 + .../new-github-owner-added.asciidoc | 62 + ...-authentication-behavior-detected.asciidoc | 92 + ...ntity-provider-idp-added-by-admin.asciidoc | 102 + ...new-or-modified-federation-domain.asciidoc | 74 +- ...ted-by-previously-unknown-process.asciidoc | 173 ++ .../new-systemd-timer-created.asciidoc | 140 ++ .../nping-process-activity.asciidoc | 79 +- .../ntds-or-sam-database-file-copied.asciidoc | 116 +- ...sessionpipe-registry-modification.asciidoc | 78 +- ...orted-by-user-as-malware-or-phish.asciidoc | 61 +- ...ssive-single-sign-on-logon-errors.asciidoc | 69 +- ...spicious-mailbox-right-delegation.asciidoc | 83 +- ...o365-mailbox-audit-logging-bypass.asciidoc | 61 +- .../office-test-registry-persistence.asciidoc | 76 + ...force-or-password-spraying-attack.asciidoc | 99 +- .../okta-fastpass-phishing-detection.asciidoc | 72 + ...ign-in-events-via-third-party-idp.asciidoc | 116 + ...nsight-threat-suspected-promotion.asciidoc | 62 + .../okta-user-session-impersonation.asciidoc | 77 +- ...arted-from-different-geolocations.asciidoc | 77 + .../onedrive-malware-file-upload.asciidoc | 53 +- ...uled-task-activity-via-powershell.asciidoc | 102 +- .../parent-process-pid-spoofing.asciidoc | 140 +- .../peripheral-device-discovery.asciidoc | 116 +- ...on-theft-detected-elastic-endgame.asciidoc | 64 +- ...n-theft-prevented-elastic-endgame.asciidoc | 64 +- ...tence-via-bits-job-notify-cmdline.asciidoc | 68 +- ...ectoryservice-plugin-modification.asciidoc | 47 +- ...-via-docker-shortcut-modification.asciidoc | 61 +- ...sistence-via-folder-action-script.asciidoc | 100 +- ...tence-via-hidden-run-key-detected.asciidoc | 138 +- ...ript-or-desktop-file-modification.asciidoc | 96 +- ...sistence-via-login-or-logout-hook.asciidoc | 87 +- ...tence-via-microsoft-office-addins.asciidoc | 89 +- ...istence-via-microsoft-outlook-vba.asciidoc | 74 +- ...ersistence-via-powershell-profile.asciidoc | 59 +- ...stence-via-scheduled-job-creation.asciidoc | 67 +- ...ycontroller-scheduled-task-hijack.asciidoc | 138 +- ...pdate-orchestrator-service-hijack.asciidoc | 210 +- ...stence-via-wmi-event-subscription.asciidoc | 103 +- ...ia-wmi-standard-registry-provider.asciidoc | 253 +- ...-scripts-in-the-startup-directory.asciidoc | 152 +- .../port-forwarding-rule-addition.asciidoc | 131 +- ...-via-azure-registered-application.asciidoc | 126 +- ...-dga-command-and-control-behavior.asciidoc | 84 +- .../possible-okta-dos-attack.asciidoc | 81 +- ...tial-admin-group-account-addition.asciidoc | 52 +- ...n-interface-bypass-via-powershell.asciidoc | 160 ++ ...-application-shimming-via-sdbinst.asciidoc | 114 +- ...ial-code-execution-via-postgresql.asciidoc | 69 + ...and-control-via-internet-explorer.asciidoc | 134 +- ...okies-theft-via-browser-debugging.asciidoc | 93 +- ...tial-credential-access-via-dcsync.asciidoc | 174 +- ...cess-via-duplicatehandle-in-lsass.asciidoc | 80 +- ...tial-access-via-lsass-memory-dump.asciidoc | 109 +- ...ess-via-memory-dump-file-creation.asciidoc | 102 + ...cess-via-renamed-com-services-dll.asciidoc | 90 +- ...ess-via-trusted-developer-utility.asciidoc | 194 +- ...tial-access-via-windows-utilities.asciidoc | 213 +- ...otential-cross-site-scripting-xss.asciidoc | 62 + ...-curl-cve-2023-38545-exploitation.asciidoc | 68 + ...ty-to-an-unusual-destination-port.asciidoc | 51 + ...activity-to-an-unusual-ip-address.asciidoc | 51 + ...n-activity-to-an-unusual-iso-code.asciidoc | 51 + ...ion-activity-to-an-unusual-region.asciidoc | 51 + ...ial-defense-evasion-via-cmstp-exe.asciidoc | 67 + ...tential-defense-evasion-via-proot.asciidoc | 61 + .../potential-dga-activity.asciidoc | 51 + .../potential-disabling-of-apparmor.asciidoc | 66 + .../potential-disabling-of-selinux.asciidoc | 72 +- ...ft-antimalware-service-executable.asciidoc | 100 +- ...ng-via-trusted-microsoft-programs.asciidoc | 81 + ...ential-dns-tunneling-via-nslookup.asciidoc | 108 +- ...ential-evasion-via-filter-manager.asciidoc | 155 +- ...quoted-service-path-vulnerability.asciidoc | 68 + ...al-linux-ssh-brute-force-detected.asciidoc | 118 + ...tential-file-transfer-via-certreq.asciidoc | 84 + ...idden-local-user-account-creation.asciidoc | 52 +- ...-hidden-process-via-mount-hidepid.asciidoc | 62 + ...al-linux-ssh-brute-force-detected.asciidoc | 114 + ...invoke-mimikatz-powershell-script.asciidoc | 101 +- ...al-java-jndi-exploitation-attempt.asciidoc | 95 +- ...ntial-kerberos-attack-via-bifrost.asciidoc | 72 +- ...teral-tool-transfer-via-smb-share.asciidoc | 125 +- ...ux-backdoor-user-account-creation.asciidoc | 123 + ...ntial-dumping-via-proc-filesystem.asciidoc | 76 + ...x-credential-dumping-via-unshadow.asciidoc | 68 + ...otential-linux-hack-tool-launched.asciidoc | 73 + ...ocal-account-brute-force-detected.asciidoc | 67 + ...ransomware-note-creation-detected.asciidoc | 67 + ...otential-linux-ssh-x11-forwarding.asciidoc | 64 + ...-tunneling-and-or-port-forwarding.asciidoc | 77 + ...tential-local-ntlm-relay-via-http.asciidoc | 84 +- ...-lsa-authentication-package-abuse.asciidoc | 66 +- ...e-creation-via-psscapturesnapshot.asciidoc | 67 +- ...emory-dump-via-psscapturesnapshot.asciidoc | 71 +- ...al-macos-ssh-brute-force-detected.asciidoc | 48 +- ...file-downloaded-from-google-drive.asciidoc | 113 + ...l-masquerading-as-browser-process.asciidoc | 189 ++ ...erading-as-business-app-installer.asciidoc | 218 ++ ...asquerading-as-communication-apps.asciidoc | 134 ++ ...tial-masquerading-as-system32-dll.asciidoc | 149 ++ ...squerading-as-system32-executable.asciidoc | 102 + ...potential-masquerading-as-vlc-dll.asciidoc | 82 + ...tential-meterpreter-reverse-shell.asciidoc | 81 + ...-microsoft-office-sandbox-evasion.asciidoc | 51 +- ...ication-of-accessibility-binaries.asciidoc | 226 +- .../potential-network-scan-detected.asciidoc | 74 + ...l-network-scan-executed-from-host.asciidoc | 60 + ...potential-network-share-discovery.asciidoc | 76 + .../potential-network-sweep-detected.asciidoc | 75 + ...andard-port-http-https-connection.asciidoc | 84 + ...-non-standard-port-ssh-connection.asciidoc | 48 +- ...fa-bombing-via-push-notifications.asciidoc | 112 + ...openssh-backdoor-logging-activity.asciidoc | 125 +- ...rdp-connection-by-unusual-process.asciidoc | 66 + ...tential-pass-the-hash-pth-attempt.asciidoc | 69 + ...ng-of-microsoft-365-user-accounts.asciidoc | 100 +- ...rsistence-through-init-d-detected.asciidoc | 138 ++ ...rough-motd-file-creation-detected.asciidoc | 133 ++ ...ence-through-run-control-detected.asciidoc | 141 ++ ...persistence-through-systemd-udevd.asciidoc | 67 + ...via-atom-init-script-modification.asciidoc | 48 +- ...ential-persistence-via-login-hook.asciidoc | 71 +- ...al-persistence-via-periodic-tasks.asciidoc | 52 +- ...ce-via-time-provider-modification.asciidoc | 131 +- ...rint-processor-registration-abuse.asciidoc | 92 +- ...hacktool-script-by-function-names.asciidoc | 248 ++ ...-bypass-via-localhost-secure-copy.asciidoc | 77 +- ...rol-bypass-via-tccdb-modification.asciidoc | 74 +- ...on-through-writable-docker-socket.asciidoc | 67 + ...on-via-container-misconfiguration.asciidoc | 67 + ...lege-escalation-via-cve-2023-4911.asciidoc | 64 + ...alation-via-installerfiletakeover.asciidoc | 168 +- ...rivilege-escalation-via-overlayfs.asciidoc | 67 + ...l-privilege-escalation-via-pkexec.asciidoc | 56 +- ...-escalation-via-python-cap-setuid.asciidoc | 71 + ...-via-recently-compiled-executable.asciidoc | 68 + ...ion-via-sudoers-file-modification.asciidoc | 49 +- ...tion-via-uid-int-max-bug-detected.asciidoc | 64 + ...ation-via-samaccountname-spoofing.asciidoc | 74 +- ...tial-process-herpaderping-attempt.asciidoc | 75 +- ...injection-from-malicious-document.asciidoc | 93 + ...-process-injection-via-powershell.asciidoc | 155 +- ...tocol-tunneling-via-chisel-client.asciidoc | 70 + ...tocol-tunneling-via-chisel-server.asciidoc | 70 + ...-protocol-tunneling-via-earthworm.asciidoc | 58 +- ...-pspy-process-monitoring-detected.asciidoc | 67 + ...ote-code-execution-via-web-server.asciidoc | 154 ++ ...te-credential-access-via-registry.asciidoc | 134 +- ...remote-desktop-shadowing-activity.asciidoc | 96 +- ...remote-desktop-tunneling-detected.asciidoc | 140 +- ...remote-file-execution-via-msiexec.asciidoc | 107 + ...verse-shell-activity-via-terminal.asciidoc | 110 +- ...erse-shell-via-background-process.asciidoc | 73 + .../potential-reverse-shell-via-java.asciidoc | 81 + ...verse-shell-via-suspicious-binary.asciidoc | 90 + ...hell-via-suspicious-child-process.asciidoc | 97 + .../potential-reverse-shell-via-udp.asciidoc | 86 + .../potential-reverse-shell.asciidoc | 80 + ...file-deletion-via-sdelete-utility.asciidoc | 122 +- ...ow-credentials-added-to-ad-object.asciidoc | 98 +- ...e-read-via-command-line-utilities.asciidoc | 78 +- .../potential-sharprdp-behavior.asciidoc | 143 +- ...l-via-wildcard-injection-detected.asciidoc | 77 + ...ential-ssh-it-ssh-worm-downloaded.asciidoc | 78 + ...x-ftp-brute-force-attack-detected.asciidoc | 73 + ...x-rdp-brute-force-attack-detected.asciidoc | 71 + ...successful-ssh-brute-force-attack.asciidoc | 109 + ...potential-sudo-hijacking-detected.asciidoc | 77 + ...ege-escalation-via-cve-2019-14287.asciidoc | 63 + ...anipulation-via-process-injection.asciidoc | 77 + ...cious-clipboard-activity-detected.asciidoc | 61 + ...icious-debugfs-root-device-access.asciidoc | 69 + .../potential-suspicious-file-edit.asciidoc | 113 + ...l-syn-based-network-scan-detected.asciidoc | 74 + ...s-via-wildcard-injection-detected.asciidoc | 77 + ...-upgrade-of-non-interactive-shell.asciidoc | 69 + ...indows-error-manager-masquerading.asciidoc | 141 +- ...fa-bombing-via-push-notifications.asciidoc | 111 + ...rocess-started-via-tmux-or-screen.asciidoc | 64 + ...owershell-invoke-ninjacopy-script.asciidoc | 143 ++ .../powershell-kerberos-ticket-dump.asciidoc | 89 + ...owershell-kerberos-ticket-request.asciidoc | 118 +- .../powershell-keylogging-script.asciidoc | 149 +- ...ershell-mailbox-collection-script.asciidoc | 142 ++ .../powershell-minidump-script.asciidoc | 112 +- .../powershell-psreflect-script.asciidoc | 162 +- ...ell-script-block-logging-disabled.asciidoc | 109 +- ...-archive-compression-capabilities.asciidoc | 96 + ...cript-with-discovery-capabilities.asciidoc | 238 ++ ...ncryption-decryption-capabilities.asciidoc | 122 + ...cript-with-log-clear-capabilities.asciidoc | 89 + ...ord-policy-discovery-capabilities.asciidoc | 106 + ...-execution-capabilities-via-winrm.asciidoc | 93 + ...-token-impersonation-capabilities.asciidoc | 144 +- ...webcam-video-capture-capabilities.asciidoc | 88 + ...wershell-share-enumeration-script.asciidoc | 105 +- ...ery-related-windows-api-functions.asciidoc | 182 +- ...us-payload-encoded-and-compressed.asciidoc | 155 +- ...t-with-audio-capture-capabilities.asciidoc | 133 +- ...-clipboard-retrieval-capabilities.asciidoc | 146 ++ ...ript-with-screenshot-capabilities.asciidoc | 117 +- ...tion-via-named-pipe-impersonation.asciidoc | 131 +- ...ia-rogue-named-pipe-impersonation.asciidoc | 65 +- ...ia-root-crontab-file-modification.asciidoc | 52 +- ...n-via-windir-environment-variable.asciidoc | 74 +- .../privileged-account-brute-force.asciidoc | 105 +- ...n-via-parent-process-pid-spoofing.asciidoc | 107 +- ...s-activity-via-compiled-html-file.asciidoc | 186 +- ...s-created-with-a-duplicated-token.asciidoc | 90 + ...ss-created-with-an-elevated-token.asciidoc | 127 +- ...cess-creation-via-secondary-logon.asciidoc | 75 +- ...ss-discovery-using-built-in-tools.asciidoc | 67 + ...scovery-via-built-in-applications.asciidoc | 71 + ...ecution-from-an-unusual-directory.asciidoc | 293 +-- ...ion-by-the-microsoft-build-engine.asciidoc | 74 +- ...njection-detected-elastic-endgame.asciidoc | 64 +- ...jection-prevented-elastic-endgame.asciidoc | 64 +- ...-started-from-process-id-pid-file.asciidoc | 60 +- ...-termination-followed-by-deletion.asciidoc | 193 +- .../processes-with-trailing-spaces.asciidoc | 65 + ...gram-files-directory-masquerading.asciidoc | 98 +- ...pt-for-credentials-with-osascript.asciidoc | 75 +- .../proxychains-activity.asciidoc | 62 + .../psexec-network-connection.asciidoc | 166 +- ...script-execution-via-command-line.asciidoc | 71 + ...ery-registry-using-built-in-tools.asciidoc | 64 + ...nsomware-detected-elastic-endgame.asciidoc | 55 +- ...somware-prevented-elastic-endgame.asciidoc | 55 +- .../rule-details/rare-aws-error-code.asciidoc | 106 +- ...re-smb-connection-to-the-internet.asciidoc | 99 + .../rule-details/rare-user-logon.asciidoc | 84 +- .../rdp-enabled-via-registry.asciidoc | 127 +- ...esktop-protocol-from-the-internet.asciidoc | 166 +- ...istry-persistence-via-appcert-dll.asciidoc | 94 +- ...istry-persistence-via-appinit-dll.asciidoc | 154 +- ...mputer-account-dnshostname-update.asciidoc | 92 +- ...bled-in-windows-firewall-by-netsh.asciidoc | 105 +- .../remote-execution-via-file-shares.asciidoc | 115 +- ...emote-file-copy-to-a-hidden-share.asciidoc | 84 +- .../remote-file-copy-via-teamviewer.asciidoc | 150 +- ...creation-on-a-sensitive-directory.asciidoc | 71 + ...oad-via-desktopimgdownldr-utility.asciidoc | 158 +- ...remote-file-download-via-mpcmdrun.asciidoc | 147 +- ...mote-file-download-via-powershell.asciidoc | 168 +- ...e-download-via-script-interpreter.asciidoc | 139 +- ...llowed-by-scheduled-task-creation.asciidoc | 77 +- .../remote-scheduled-task-creation.asciidoc | 133 +- ...n-enabled-via-systemsetup-command.asciidoc | 73 +- .../remote-system-discovery-commands.asciidoc | 122 +- .../remote-windows-service-installed.asciidoc | 99 +- ...mote-xsl-script-execution-via-com.asciidoc | 84 + ...remotely-started-services-via-rpc.asciidoc | 272 +-- ...enamed-autoit-scripts-interpreter.asciidoc | 137 +- ...-executed-with-short-program-name.asciidoc | 124 + ...file-downloaded-from-the-internet.asciidoc | 126 +- ...-procedure-call-from-the-internet.asciidoc | 154 +- ...te-procedure-call-to-the-internet.asciidoc | 154 +- ...-task-created-by-a-windows-script.asciidoc | 119 +- ...d-task-execution-at-scale-via-gpo.asciidoc | 125 +- ...cheduled-tasks-at-command-enabled.asciidoc | 115 +- ...le-modified-by-unexpected-process.asciidoc | 90 +- ...or-saved-credentials-via-vaultcmd.asciidoc | 84 +- ...ity-software-discovery-using-wmic.asciidoc | 122 +- ...urity-software-discovery-via-grep.asciidoc | 166 +- ...e-enabled-by-a-suspicious-process.asciidoc | 78 +- .../rule-details/segfault-detected.asciidoc | 55 + ...es-compression-inside-a-container.asciidoc | 107 + .../sensitive-files-compression.asciidoc | 105 +- ...s-searched-for-inside-a-container.asciidoc | 77 + ...ationprivilege-assigned-to-a-user.asciidoc | 104 +- .../service-command-lateral-movement.asciidoc | 94 +- ...ol-spawned-via-script-interpreter.asciidoc | 210 +- ...via-local-kerberos-authentication.asciidoc | 75 +- ...isabled-via-registry-modification.asciidoc | 78 + ...vice-path-modification-via-sc-exe.asciidoc | 87 + .../service-path-modification.asciidoc | 97 + ...tcap-setuid-setgid-capability-set.asciidoc | 68 + .../setuid-setgid-bit-set-via-chmod.asciidoc | 131 +- ...ged-by-previously-unknown-process.asciidoc | 70 + .../sharepoint-malware-file-upload.asciidoc | 56 +- ...ell-execution-via-apple-scripting.asciidoc | 66 +- ...ten-or-modified-on-startup-folder.asciidoc | 78 + ...oxy-execution-via-ms-work-folders.asciidoc | 98 +- .../sip-provider-modification.asciidoc | 82 +- ...-sharing-activity-to-the-internet.asciidoc | 156 +- .../rule-details/smtp-on-port-26-tcp.asciidoc | 87 +- ...reupdate-preferences-modification.asciidoc | 66 +- ...s-disabling-services-via-registry.asciidoc | 139 +- .../spike-in-aws-error-messages.asciidoc | 109 +- ...to-an-external-device-via-airdrop.asciidoc | 51 + ...-bytes-sent-to-an-external-device.asciidoc | 51 + .../spike-in-failed-logon-events.asciidoc | 81 +- .../spike-in-firewall-denies.asciidoc | 39 +- .../spike-in-logon-events.asciidoc | 43 +- ...e-in-network-traffic-to-a-country.asciidoc | 73 +- .../spike-in-network-traffic.asciidoc | 42 +- ...connections-made-from-a-source-ip.asciidoc | 52 + ...nections-made-to-a-destination-ip.asciidoc | 52 + ...er-of-processes-in-an-rdp-session.asciidoc | 52 + .../spike-in-remote-file-transfers.asciidoc | 52 + ...ful-logon-events-from-a-source-ip.asciidoc | 100 + ...authorized-keys-file-modification.asciidoc | 123 +- ...-file-modified-inside-a-container.asciidoc | 85 + ...lished-inside-a-running-container.asciidoc | 83 + ...-launched-from-inside-a-container.asciidoc | 77 + ...-persistence-via-unsigned-process.asciidoc | 168 +- ...ript-added-to-group-policy-object.asciidoc | 115 +- ...-or-run-key-registry-modification.asciidoc | 311 ++- ...rsistence-by-a-suspicious-process.asciidoc | 172 +- ...ing-activity-with-high-confidence.asciidoc | 65 + ...el-detected-c2-beaconing-activity.asciidoc | 65 + ...n-to-okta-account-after-mfa-reset.asciidoc | 111 + ...r-application-script-modification.asciidoc | 91 +- ...sudo-command-enumeration-detected.asciidoc | 62 + ...eap-based-buffer-overflow-attempt.asciidoc | 52 +- .../sudoers-file-modification.asciidoc | 80 +- .../suid-sguid-enumeration-detected.asciidoc | 82 + ...urst-command-and-control-activity.asciidoc | 185 +- ...us-activity-reported-by-okta-user.asciidoc | 81 +- ...us-antimalware-scan-interface-dll.asciidoc | 134 ++ ...ous-automator-workflows-execution.asciidoc | 49 +- .../suspicious-browser-child-process.asciidoc | 103 +- ...icious-calendar-file-modification.asciidoc | 75 +- .../suspicious-certutil-commands.asciidoc | 183 +- ...obe-acrobat-reader-update-service.asciidoc | 83 +- .../suspicious-cmd-execution-via-wmi.asciidoc | 90 +- ...s-communication-app-child-process.asciidoc | 263 +++ ...racted-or-decompressed-via-funzip.asciidoc | 83 + ...-crontab-creation-or-modification.asciidoc | 58 +- ...ta-encryption-via-openssl-utility.asciidoc | 68 + ...rsistence-or-privilege-escalation.asciidoc | 173 +- .../suspicious-emond-child-process.asciidoc | 77 +- ...-endpoint-security-parent-process.asciidoc | 131 +- ...s-execution-from-a-mounted-device.asciidoc | 86 +- ...tion-via-microsoft-office-add-ins.asciidoc | 122 + .../suspicious-execution-via-msiexec.asciidoc | 94 + ...ious-execution-via-scheduled-task.asciidoc | 187 +- ...n-via-windows-subsystem-for-linux.asciidoc | 88 + ...suspicious-explorer-child-process.asciidoc | 147 +- ...us-file-changes-activity-detected.asciidoc | 64 + ...e-creation-in-etc-for-persistence.asciidoc | 181 +- ...picious-file-creation-via-kworker.asciidoc | 70 + ...s-hidden-child-process-of-launchd.asciidoc | 59 +- .../suspicious-html-file-creation.asciidoc | 98 +- ...-load-taskschd-dll-from-ms-office.asciidoc | 158 ++ ...icious-imagepath-service-creation.asciidoc | 74 +- ...process-communication-via-outlook.asciidoc | 91 + ...l-spawned-from-inside-a-container.asciidoc | 72 + .../suspicious-java-child-process.asciidoc | 114 +- .../suspicious-kworker-uid-elevation.asciidoc | 73 + ...ious-lsass-access-via-malseclogon.asciidoc | 64 +- .../suspicious-lsass-process-access.asciidoc | 89 + ...ous-macos-ms-office-child-process.asciidoc | 125 +- ...ious-managed-code-hosting-process.asciidoc | 96 +- ...ft-365-mail-access-by-clientappid.asciidoc | 69 + ...soft-diagnostics-wizard-execution.asciidoc | 111 +- ...ous-mining-process-creation-event.asciidoc | 67 + .../suspicious-modprobe-file-event.asciidoc | 60 + ...suspicious-module-loaded-by-lsass.asciidoc | 130 ++ ...uspicious-ms-office-child-process.asciidoc | 314 +-- ...spicious-ms-outlook-child-process.asciidoc | 233 +- .../suspicious-net-code-compilation.asciidoc | 82 + ...ous-net-reflection-via-powershell.asciidoc | 168 ++ ...-by-previously-unknown-executable.asciidoc | 80 + ...-tool-launched-inside-a-container.asciidoc | 82 + ...spicious-pdf-reader-child-process.asciidoc | 207 +- ...able-encoded-in-powershell-script.asciidoc | 138 +- ...cious-powershell-engine-imageload.asciidoc | 262 +-- .../suspicious-powershell-script.asciidoc | 64 +- ...cious-print-spooler-file-deletion.asciidoc | 68 +- ...print-spooler-point-and-print-dll.asciidoc | 73 +- ...us-print-spooler-spl-file-created.asciidoc | 154 +- ...-service-executable-file-creation.asciidoc | 84 +- ...oc-pseudo-file-system-enumeration.asciidoc | 66 + ...ess-access-via-direct-system-call.asciidoc | 168 +- ...icious-process-creation-calltrace.asciidoc | 135 +- ...ion-via-renamed-psexec-executable.asciidoc | 130 +- ...rocess-spawned-from-motd-detected.asciidoc | 152 ++ ...picious-rdp-activex-client-loaded.asciidoc | 118 +- ...stry-access-via-sebackupprivilege.asciidoc | 119 +- ...suspicious-renaming-of-esxi-files.asciidoc | 67 + ...-renaming-of-esxi-index-html-file.asciidoc | 66 + ...uspicious-script-object-execution.asciidoc | 155 +- ...rvice-was-installed-in-the-system.asciidoc | 100 +- ...spicious-solarwinds-child-process.asciidoc | 115 +- ...startup-shell-folder-modification.asciidoc | 152 +- .../suspicious-symbolic-link-created.asciidoc | 92 + .../suspicious-sysctl-file-event.asciidoc | 60 + ...-by-previously-unknown-executable.asciidoc | 73 + ...cious-termination-of-esxi-process.asciidoc | 62 + ...leshooting-pack-cabinet-execution.asciidoc | 74 + ...-utility-launched-via-proxychains.asciidoc | 65 + ...suspicious-werfault-child-process.asciidoc | 135 +- .../suspicious-which-enumeration.asciidoc | 66 + ...process-cluster-spawned-by-a-host.asciidoc | 51 + ...uster-spawned-by-a-parent-process.asciidoc | 53 + ...process-cluster-spawned-by-a-user.asciidoc | 53 + ...us-wmi-event-subscription-created.asciidoc | 68 + ...ous-wmi-image-load-from-ms-office.asciidoc | 100 +- ...picious-wmic-xsl-script-execution.asciidoc | 103 +- .../suspicious-zoom-child-process.asciidoc | 165 +- .../svchost-spawning-cmd.asciidoc | 188 +- ...bolic-link-to-shadow-copy-created.asciidoc | 145 +- ...-or-moved-to-suspicious-directory.asciidoc | 93 + .../system-hosts-file-access.asciidoc | 62 + ...scovery-via-windows-command-shell.asciidoc | 81 +- .../system-log-file-deletion.asciidoc | 109 +- ...tem-network-connections-discovery.asciidoc | 62 + ...system-owner-user-discovery-linux.asciidoc | 66 + ...hrough-built-in-windows-utilities.asciidoc | 71 + .../system-shells-via-services.asciidoc | 192 +- .../system-time-discovery.asciidoc | 70 + ...systemkey-access-via-command-line.asciidoc | 60 +- .../tainted-kernel-module-load.asciidoc | 73 + ...ed-out-of-tree-kernel-module-load.asciidoc | 73 + ...ring-of-bash-command-line-history.asciidoc | 122 +- ...-via-mounted-apfs-snapshot-access.asciidoc | 50 +- ...mporarily-scheduled-task-creation.asciidoc | 83 +- ...es-deleted-via-unexpected-process.asciidoc | 120 +- ...threat-intel-hash-indicator-match.asciidoc | 116 + ...-intel-ip-address-indicator-match.asciidoc | 118 + .../threat-intel-url-indicator-match.asciidoc | 121 + ...-windows-registry-indicator-match.asciidoc | 111 + .../timestomping-using-touch-command.asciidoc | 88 +- .../trap-signals-execution.asciidoc | 65 + ...nternet-explorer-add-on-installer.asciidoc | 124 +- ...eged-ifileoperation-com-interface.asciidoc | 104 +- ...ia-windows-directory-masquerading.asciidoc | 151 +- ...ademanager-elevated-com-interface.asciidoc | 122 +- ...diskcleanup-scheduled-task-hijack.asciidoc | 124 +- ...icmluautil-elevated-com-interface.asciidoc | 109 +- ...a-windows-firewall-snap-in-hijack.asciidoc | 159 +- ...rom-previously-unknown-executable.asciidoc | 82 + ...zed-access-to-an-okta-application.asciidoc | 62 +- ...ommon-registry-persistence-change.asciidoc | 306 +-- ...ocess-of-macos-screensaver-engine.asciidoc | 61 +- .../unix-socket-connection.asciidoc | 65 + ...igned-bits-service-client-process.asciidoc | 72 + ...d-dll-loaded-by-a-trusted-process.asciidoc | 75 + .../unsigned-dll-loaded-by-svchost.asciidoc | 179 ++ ...-loading-from-a-suspicious-folder.asciidoc | 153 ++ .../untrusted-driver-loaded.asciidoc | 135 ++ .../unusual-aws-command-for-a-user.asciidoc | 104 +- ...ess-from-a-system-virtual-process.asciidoc | 84 +- .../unusual-child-process-of-dns-exe.asciidoc | 115 + ...usual-child-processes-of-rundll32.asciidoc | 149 +- .../unusual-city-for-an-aws-command.asciidoc | 104 +- ...nusual-country-for-an-aws-command.asciidoc | 110 +- ...nusual-discovery-activity-by-user.asciidoc | 61 + ...with-unusual-process-command-line.asciidoc | 60 + ...t-with-unusual-process-executable.asciidoc | 55 + .../unusual-dns-activity.asciidoc | 55 +- ...tion-by-a-system-critical-process.asciidoc | 141 +- ...le-creation-alternate-data-stream.asciidoc | 212 +- ...sual-file-modification-by-dns-exe.asciidoc | 85 + .../unusual-hour-for-a-user-to-logon.asciidoc | 70 +- .../unusual-linux-network-activity.asciidoc | 58 +- ...x-network-configuration-discovery.asciidoc | 49 + ...inux-network-connection-discovery.asciidoc | 45 +- ...usual-linux-network-port-activity.asciidoc | 54 +- ...cess-calling-the-metadata-service.asciidoc | 56 +- ...-linux-process-discovery-activity.asciidoc | 45 +- ...em-information-discovery-activity.asciidoc | 45 +- ...user-calling-the-metadata-service.asciidoc | 56 +- ...ual-linux-user-discovery-activity.asciidoc | 49 + .../unusual-linux-username.asciidoc | 69 +- .../unusual-login-activity.asciidoc | 55 +- ...vity-from-a-windows-system-binary.asciidoc | 234 +- ...al-network-connection-via-dllhost.asciidoc | 79 +- ...l-network-connection-via-rundll32.asciidoc | 206 +- ...l-network-destination-domain-name.asciidoc | 45 +- ...unusual-parent-child-relationship.asciidoc | 353 +-- ...nusual-parent-process-for-cmd-exe.asciidoc | 89 + ...persistence-via-services-registry.asciidoc | 122 +- ...usual-print-spooler-child-process.asciidoc | 121 +- ...al-process-execution-on-wbem-path.asciidoc | 72 + ...cution-path-alternate-data-stream.asciidoc | 81 +- .../unusual-process-extension.asciidoc | 82 + .../unusual-process-for-a-linux-host.asciidoc | 113 +- ...nusual-process-for-a-windows-host.asciidoc | 159 +- ...rocess-for-mssql-service-accounts.asciidoc | 92 + ...nusual-process-network-connection.asciidoc | 151 +- ...unusual-process-spawned-by-a-host.asciidoc | 53 + ...ocess-spawned-by-a-parent-process.asciidoc | 53 + ...unusual-process-spawned-by-a-user.asciidoc | 53 + ...riting-data-to-an-external-device.asciidoc | 51 + .../unusual-remote-file-directory.asciidoc | 52 + .../unusual-remote-file-extension.asciidoc | 52 + .../unusual-remote-file-size.asciidoc | 52 + ...t-child-process-childless-service.asciidoc | 145 +- ...ource-ip-for-a-user-to-logon-from.asciidoc | 43 +- .../unusual-sudo-activity.asciidoc | 47 +- ...al-time-or-day-for-an-rdp-session.asciidoc | 52 + ...user-privilege-enumeration-via-id.asciidoc | 62 + .../rule-details/unusual-web-request.asciidoc | 55 +- .../unusual-web-user-agent.asciidoc | 55 +- .../unusual-windows-network-activity.asciidoc | 63 +- .../unusual-windows-path-activity.asciidoc | 77 +- ...cess-calling-the-metadata-service.asciidoc | 56 +- .../unusual-windows-remote-user.asciidoc | 63 +- .../unusual-windows-service.asciidoc | 61 +- ...user-calling-the-metadata-service.asciidoc | 56 +- ...user-privilege-elevation-activity.asciidoc | 57 +- .../unusual-windows-username.asciidoc | 77 +- .../user-account-creation.asciidoc | 136 +- ...-account-exposed-to-kerberoasting.asciidoc | 106 +- ...ed-as-owner-for-azure-application.asciidoc | 67 +- ...owner-for-azure-service-principal.asciidoc | 69 +- .../user-added-to-privileged-group.asciidoc | 101 +- ...l-machine-fingerprinting-via-grep.asciidoc | 78 +- .../virtual-machine-fingerprinting.asciidoc | 80 +- ...rivate-network-connection-attempt.asciidoc | 65 +- ...twork-computing-from-the-internet.asciidoc | 158 +- ...network-computing-to-the-internet.asciidoc | 156 +- ...y-deleted-or-resized-via-vssadmin.asciidoc | 165 +- ...adow-copy-deletion-via-powershell.asciidoc | 132 +- ...ume-shadow-copy-deletion-via-wmic.asciidoc | 150 +- ...us-activity-post-request-declined.asciidoc | 62 +- ...icious-activity-sqlmap-user-agent.asciidoc | 59 +- ...ious-activity-unauthorized-method.asciidoc | 62 +- ...ess-child-of-common-web-processes.asciidoc | 145 +- .../webproxy-settings-modification.asciidoc | 68 +- .../webserver-access-logs-deleted.asciidoc | 84 +- ...fault-reflectdebugger-persistence.asciidoc | 74 + .../whoami-process-activity.asciidoc | 155 +- ...indows-account-or-group-discovery.asciidoc | 110 + ...erability-cve-2020-0601-curveball.asciidoc | 64 +- ...isabled-via-registry-modification.asciidoc | 179 +- ...r-exclusions-added-via-powershell.asciidoc | 134 +- .../windows-event-logs-cleared.asciidoc | 85 +- ...-firewall-disabled-via-powershell.asciidoc | 112 +- ...taller-with-suspicious-properties.asciidoc | 79 + .../windows-network-enumeration.asciidoc | 167 +- ...gistry-file-creation-in-smb-share.asciidoc | 107 +- ...ndows-script-executing-powershell.asciidoc | 156 +- ...rpreter-executing-process-via-wmi.asciidoc | 166 +- ...e-installed-via-an-unusual-client.asciidoc | 56 +- ...-for-linux-distribution-installed.asciidoc | 116 + ...or-linux-enabled-via-dism-utility.asciidoc | 110 + ...dows-system-information-discovery.asciidoc | 80 + ...tem-network-connections-discovery.asciidoc | 77 + .../windows-user-account-creation.asciidoc | 69 + ...ntial-dumping-using-netsh-command.asciidoc | 90 +- .../wmi-incoming-lateral-movement.asciidoc | 136 +- .../wmi-wbemtest-utility-execution.asciidoc | 60 + .../rule-details/wmic-remote-command.asciidoc | 75 + .../wpad-service-exploit.asciidoc | 72 + ...access-on-active-directory-object.asciidoc | 70 + .../zoom-meeting-with-no-passcode.asciidoc | 65 +- docs/index.asciidoc | 2 + 1043 files changed, 55683 insertions(+), 48005 deletions(-) create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-1/prebuilt-rules-8-12-1-appendix.asciidoc create mode 100644 docs/detections/prebuilt-rules/downloadable-packages/8-12-1/prebuilt-rules-8-12-1-summary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/accessing-outlook-data-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/account-or-group-discovery-via-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/archive-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/at-exe-command-lateral-movement.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-clear-kernel-ring-buffer.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-disable-iptables-or-firewall.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempt-to-install-kali-linux-via-wsl.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/attempted-private-key-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/aws-credentials-searched-for-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/binary-content-copy-via-cmd-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/bitsadmin-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/browser-extension-install.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/bypass-uac-via-sdclt.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/code-signing-policy-modification-through-registry.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/compression-dll-loaded-by-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/container-management-utility-run-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/container-workload-protection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/creation-of-kernel-module.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/creation-of-settingcontent-ms-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/cron-job-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/delayed-execution-via-ping.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/deprecated-potential-reverse-shell-via-suspicious-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/discovery-of-domain-groups.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/discovery-of-internet-capabilities-via-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/downloaded-shortcut-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/downloaded-url-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumerating-domain-trusts-via-dsquery-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumerating-domain-trusts-via-nltest-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/enumeration-of-kernel-modules-via-proc.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-find.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-discovery-via-grep.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/esxi-timestomping-using-touch-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/exchange-mailbox-export-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/executable-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-from-a-removable-media-with-network-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-of-an-unsigned-service.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-electron-child-process-node-js-module.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-microsoft-dotnet-clickonce-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-ms-visualstudio-pre-post-build-events.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-mssql-xp-cmdshell-stored-procedure.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/execution-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/expired-or-revoked-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/external-user-added-to-google-workspace-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-and-directory-permissions-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-compressed-or-archived-into-common-format.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-creation-execution-and-self-deletion-in-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-creation-time-changed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-made-executable-via-chmod-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-or-directory-deletion-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-staged-in-root-folder-of-recycle-bin.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/file-with-suspicious-extension-downloaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-occurrence-of-okta-user-session-started-via-proxy.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-aws-secret-value-accessed-in-secrets-manager.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-commonly-abused-remote-access-tool-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-google-workspace-oauth-login-from-third-party-application.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-newcredentials-logon-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/first-time-seen-removable-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/firsttime-seen-account-performing-dcsync.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/forwarded-google-workspace-security-alert.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-owner-role-granted-to-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-protected-branch-settings-changed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/github-repository-deleted.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-drive-encryption-key-s-accessed-from-anonymous-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-object-copied-from-external-drive-and-access-granted-to-custom-application.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/google-workspace-suspended-user-account-renewed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/group-policy-discovery-via-microsoft-gpresult-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/hidden-files-and-directories-via-hidden-flag.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/high-mean-of-process-arguments-in-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/high-mean-of-rdp-session-duration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/high-variance-in-rdp-session-duration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/host-files-system-changes-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/image-loaded-with-invalid-signature.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/indirect-command-execution-via-forfiles-pcalua.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ingress-transfer-via-windows-bits.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/installutil-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/interactive-exec-command-launched-against-a-running-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/interactive-logon-by-an-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kernel-driver-load.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kernel-load-or-unload-via-kexec-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/kirbi-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-group-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-init-pid-1-secret-dump-via-gdb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-restricted-shell-breakout-via-linux-binary-s.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-secret-dumping-via-gdb.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-system-information-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/linux-user-added-to-privileged-group.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/lsass-process-access-via-windows-api.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-predicted-to-be-a-dga-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-dns-request-with-a-high-dga-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-predicted-to-be-malicious-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-a-suspicious-windows-event-with-a-high-malicious-probability-score.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/machine-learning-detected-dga-activity-using-a-known-sunburst-dns-domain.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/malicious-remote-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/memory-dump-file-with-unusual-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-impossible-travel-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-365-mass-download-by-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/microsoft-exchange-transport-agent-install-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/modification-of-dynamic-linker-preload-shared-object-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/mofcomp-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-alerts-involving-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-client-addresses-for-a-single-user-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-sessions-detected-for-a-single-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/multiple-okta-user-auth-events-with-same-device-token-hash-behind-a-proxy.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/my-first-rule.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/netcat-listener-established-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/netcat-listener-established-via-rlwrap.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/netsh-helper-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-cat.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-activity-detected-via-kworker.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-connection-via-recently-compiled-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/network-level-authentication-nla-disabled.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-github-app-installed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-github-owner-added.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-okta-authentication-behavior-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-okta-identity-provider-idp-added-by-admin.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-systemd-service-created-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/new-systemd-timer-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/office-test-registry-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-fastpass-phishing-detection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-sign-in-events-via-third-party-idp.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-threatinsight-threat-suspected-promotion.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/okta-user-sessions-started-from-different-geolocations.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-antimalware-scan-interface-bypass-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-code-execution-via-postgresql.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-credential-access-via-memory-dump-file-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-cross-site-scripting-xss.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-curl-cve-2023-38545-exploitation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-destination-port.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-ip-address.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-iso-code.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-data-exfiltration-activity-to-an-unusual-region.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-cmstp-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-defense-evasion-via-proot.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-dga-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-disabling-of-apparmor.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-dll-side-loading-via-trusted-microsoft-programs.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-exploitation-of-an-unquoted-service-path-vulnerability.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-external-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-file-transfer-via-certreq.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-hidden-process-via-mount-hidepid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-internal-linux-ssh-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-backdoor-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-proc-filesystem.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-credential-dumping-via-unshadow.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-hack-tool-launched.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-local-account-brute-force-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-ransomware-note-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-ssh-x11-forwarding.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-linux-tunneling-and-or-port-forwarding.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-malicious-file-downloaded-from-google-drive.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-browser-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-business-app-installer.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-communication-apps.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-system32-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-masquerading-as-vlc-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-meterpreter-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-scan-executed-from-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-share-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-network-sweep-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-non-standard-port-http-https-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-okta-mfa-bombing-via-push-notifications.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-outgoing-rdp-connection-by-unusual-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-pass-the-hash-pth-attempt.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-init-d-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-motd-file-creation-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-run-control-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-persistence-through-systemd-udevd.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-powershell-hacktool-script-by-function-names.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-through-writable-docker-socket.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-container-misconfiguration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-cve-2023-4911.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-overlayfs.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-python-cap-setuid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-recently-compiled-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-privilege-escalation-via-uid-int-max-bug-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-process-injection-from-malicious-document.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-client.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-protocol-tunneling-via-chisel-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-pspy-process-monitoring-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-remote-code-execution-via-web-server.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-remote-file-execution-via-msiexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-background-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-java.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-binary.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-suspicious-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell-via-udp.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-reverse-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-shell-via-wildcard-injection-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-ssh-it-ssh-worm-downloaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-successful-linux-ftp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-successful-linux-rdp-brute-force-attack-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-successful-ssh-brute-force-attack.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-sudo-hijacking-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-sudo-privilege-escalation-via-cve-2019-14287.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-sudo-token-manipulation-via-process-injection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-suspicious-clipboard-activity-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-suspicious-debugfs-root-device-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-suspicious-file-edit.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-syn-based-network-scan-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-unauthorized-access-via-wildcard-injection-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potential-upgrade-of-non-interactive-shell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potentially-successful-mfa-bombing-via-push-notifications.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/potentially-suspicious-process-started-via-tmux-or-screen.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-invoke-ninjacopy-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-kerberos-ticket-dump.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-mailbox-collection-script.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-archive-compression-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-discovery-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-encryption-decryption-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-log-clear-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-password-policy-discovery-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-remote-execution-capabilities-via-winrm.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-script-with-webcam-video-capture-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/powershell-suspicious-script-with-clipboard-retrieval-capabilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-created-with-a-duplicated-token.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-discovery-using-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/process-discovery-via-built-in-applications.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/processes-with-trailing-spaces.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/proxychains-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/python-script-execution-via-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/query-registry-using-built-in-tools.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/rare-smb-connection-to-the-internet.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/remote-file-creation-on-a-sensitive-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/remote-xsl-script-execution-via-com.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/renamed-utility-executed-with-short-program-name.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/segfault-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sensitive-files-compression-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sensitive-keys-or-passwords-searched-for-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/service-disabled-via-registry-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/service-path-modification-via-sc-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/service-path-modification.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/setcap-setuid-setgid-capability-set.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/shared-object-created-or-changed-by-previously-unknown-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/shortcut-file-written-or-modified-on-startup-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device-via-airdrop.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-bytes-sent-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-number-of-connections-made-from-a-source-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-number-of-connections-made-to-a-destination-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-number-of-processes-in-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-remote-file-transfers.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/spike-in-successful-logon-events-from-a-source-ip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-authorized-keys-file-modified-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-connection-established-inside-a-running-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/ssh-process-launched-from-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/statistical-model-detected-c2-beaconing-activity-with-high-confidence.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/statistical-model-detected-c2-beaconing-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/stolen-credentials-used-to-login-to-okta-account-after-mfa-reset.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/sudo-command-enumeration-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suid-sguid-enumeration-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-antimalware-scan-interface-dll.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-communication-app-child-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-content-extracted-or-decompressed-via-funzip.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-data-encryption-via-openssl-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-microsoft-office-add-ins.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-msiexec.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-execution-via-windows-subsystem-for-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-file-changes-activity-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-file-creation-via-kworker.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-image-load-taskschd-dll-from-ms-office.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-inter-process-communication-via-outlook.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-interactive-shell-spawned-from-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-kworker-uid-elevation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-lsass-process-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-microsoft-365-mail-access-by-clientappid.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-mining-process-creation-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-modprobe-file-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-module-loaded-by-lsass.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-net-code-compilation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-net-reflection-via-powershell.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-activity-to-the-internet-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-network-tool-launched-inside-a-container.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-proc-pseudo-file-system-enumeration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-process-spawned-from-motd-detected.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-files.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-renaming-of-esxi-index-html-file.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-symbolic-link-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-sysctl-file-event.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-system-commands-executed-by-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-termination-of-esxi-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-troubleshooting-pack-cabinet-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-utility-launched-via-proxychains.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-which-enumeration.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-windows-process-cluster-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/suspicious-wmi-event-subscription-created.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-binary-copied-and-or-moved-to-suspicious-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-hosts-file-access.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-network-connections-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-owner-user-discovery-linux.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-service-discovery-through-built-in-windows-utilities.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/system-time-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/tainted-kernel-module-load.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/tainted-out-of-tree-kernel-module-load.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-hash-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-ip-address-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-url-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/threat-intel-windows-registry-indicator-match.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/trap-signals-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/uid-elevation-from-previously-unknown-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unix-socket-connection.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-bits-service-client-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-a-trusted-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-dll-loaded-by-svchost.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unsigned-dll-side-loading-from-a-suspicious-folder.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/untrusted-driver-loaded.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-child-process-of-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-discovery-activity-by-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-discovery-signal-alert-with-unusual-process-command-line.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-discovery-signal-alert-with-unusual-process-executable.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-file-modification-by-dns-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-linux-network-configuration-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-linux-user-discovery-activity.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-parent-process-for-cmd-exe.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-execution-on-wbem-path.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-for-mssql-service-accounts.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-host.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-parent-process.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-spawned-by-a-user.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-process-writing-data-to-an-external-device.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-remote-file-directory.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-remote-file-extension.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-remote-file-size.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-time-or-day-for-an-rdp-session.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/unusual-user-privilege-enumeration-via-id.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/werfault-reflectdebugger-persistence.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-account-or-group-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-installer-with-suspicious-properties.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-subsystem-for-linux-distribution-installed.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-subsystem-for-linux-enabled-via-dism-utility.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-system-information-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-system-network-connections-discovery.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/windows-user-account-creation.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/wmi-wbemtest-utility-execution.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/wmic-remote-command.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/wpad-service-exploit.asciidoc create mode 100644 docs/detections/prebuilt-rules/rule-details/writedac-access-on-active-directory-object.asciidoc diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-1/prebuilt-rules-8-12-1-appendix.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-1/prebuilt-rules-8-12-1-appendix.asciidoc new file mode 100644 index 0000000000..d8a1a6acdc --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-1/prebuilt-rules-8-12-1-appendix.asciidoc @@ -0,0 +1,6 @@ +["appendix",role="exclude",id="prebuilt-rule-8-12-1-prebuilt-rules-8-12-1-appendix"] += Downloadable rule update v8.12.1 + +This section lists all updates associated with version 8.12.1 of the Fleet integration *Prebuilt Security Detection Rules*. + + diff --git a/docs/detections/prebuilt-rules/downloadable-packages/8-12-1/prebuilt-rules-8-12-1-summary.asciidoc b/docs/detections/prebuilt-rules/downloadable-packages/8-12-1/prebuilt-rules-8-12-1-summary.asciidoc new file mode 100644 index 0000000000..80c8b90cb4 --- /dev/null +++ b/docs/detections/prebuilt-rules/downloadable-packages/8-12-1/prebuilt-rules-8-12-1-summary.asciidoc @@ -0,0 +1,12 @@ +[[prebuilt-rule-8-12-1-prebuilt-rules-8-12-1-summary]] +[role="xpack"] +== Update v8.12.1 + +This section lists all updates associated with version 8.12.1 of the Fleet integration *Prebuilt Security Detection Rules*. + + +[width="100%",options="header"] +|============================================== +|Rule |Description |Status |Version + +|============================================== diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc index c285889192..cbb0afc8d5 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-downloadable-updates.asciidoc @@ -1,139 +1 @@ -[[prebuilt-rules-downloadable-updates]] -[role="xpack"] -== Downloadable rule updates - -This section lists all updates to prebuilt detection rules, made available with the *Prebuilt Security Detection Rules* integration in Fleet. - -To update your installed rules to the latest versions, follow the instructions in <>. - - -[width="100%",options="header"] -|============================================== -|Update version |Date | New rules | Updated rules | Notes - -|<> | 15 Feb 2023 | 29 | 110 | -This release includes new rules for Windows and Linux endpoints. -Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. -A Google Workspace promotional rule was added to promote security alerts from the Alert Center. -Machine learning rules related to failed logins have been adjusted for better scoring results. -Additional investigation guides have been added for Windows and Linux rules. -A https://www.elastic.co/guide/en/security/current/rules-ui-create.html[New Terms] rule has been created to identify loaded Windows drivers not seen in the last 30 days. -A guided onboarding rule has been created to assist new SIEM users with getting started. - -|<> | 15 Feb 2023 | 28 | 110 | -This release includes new rules for Windows and Linux endpoints. -Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. -A Google Workspace promotional rule was added to promote security alerts from the Alert Center. -Machine learning rules related to failed logins have been adjusted for better scoring results. -Additional investigation guides have been added for Windows and Linux rules. -A https://www.elastic.co/guide/en/security/current/rules-ui-create.html[New Terms] rule has been created to identify loaded Windows drivers not seen in the last 30 days. - -|<> | 14 Feb 2023 | 27 | 110 | -This release includes new rules for Windows and Linux endpoints. -Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. -A Google Workspace promotional rule was added to promote security alerts from the Alert Center. -Machine learning rules related to failed logins have been adjusted for better scoring results. -Additional investigation guides have been added for Windows and Linux rules. - -|<> | 14 Feb 2023 | 27 | 110 | -This release includes new rules for Windows and Linux endpoints. -Additionally, significant rule tuning for Windows and Linux rules has been added for better rule efficacy. -A Google Workspace promotional rule was added to promote security alerts from the Alert Center. -Machine learning rules related to failed logins have been adjusted for better scoring results. -Additional investigation guides have been added for Windows and Linux rules. - -|<> | 24 Jan 2023 | 5 | 494 | -This release includes new rules for Windows regarding Microsoft Exchange interaction via Powershell. -Additionally, significant rule tuning for Windows rules has been added for better rule efficacy. -A new rule for multiple alerts with different ATT&CK tactics on a single host has also been included. -A new rule for multiple alerts involving a single user has been added. -Related integration tags and recommended versions have been added to endpoint rules. -Bug fixes for OSQuery execution in rule investigation guides has been added. - -|<> | 24 Jan 2023 | 1 | 4 | -This release includes new rules for Windows regarding Microsoft Exchange interaction via PowerShell. -A new rule for multiple alerts with different ATT&CK tactics on a single host has also been included. -Additionally, a new rule for multiple alerts involving a single user has been added. -This release also includes rule tuning for suspicious Windows Error Reporting child processes. - -|<> | 19 Jan 2023 | 17 | 500 | -This release includes new rules for Windows regarding Microsoft Exchange interaction via PowerShell. -Additionally, significant rule tuning for Windows rules has been added for better rule efficacy. -Related integration tags and recommended versions have been added to endpoint rules. -Bug fixes for OSQuery execution in rule investigation guides has been added. - -|<> | 05 Dec 2022 | 20 | 298 | -This release includes new rules for Linux regarding reverse shells. -Additionally, new windows rules have been added to supply coverage for credential access and access token manipulation. -Specific Windows and Linux rules have been tuned to reduce false-positive signals. - -|<> | 06 Oct 2022 | 25 | 232 | -This release includes new rules for Linux, Windows, Google Workspace and Kubernetes. -Also included are expanded investigation guides for Linux, Windows and macOS rules. - -|<> | 26 Aug 2022 | 0 | 113 | -This release includes new rules for Linux, Windows, Google Workspace and Kubernetes. -Also included are expanded investigation and setup guides for Linux, Windows and macOS rules. -Rule compatability for required event fields and related Fleet integrations has also been included. - -|<> | 24 Aug 2022 | 442 | 96 | -This release includes new rules for Windows, MacOS, Linux, Kubernetes, and considerable tuning efforts. -Also included are expanded investion guides for Windows, Azure and AWS rules. - -|<> | 24 Jun 2022 | 14 | 159 | -This release includes new rules for Windows, MacOS, Linux and Kubernetes. -Also included are expanded investigation guides for Windows rules. -Additionally, this update includes new rules to help detect emerging threat https://www.elastic.co/blog/a-peek-behind-the-bpfdoor[BPFDoor]. -Updates to existing Windows rules were made to help detect exploitation attempts against https://www.elastic.co/blog/vulnerability-summary-follina[CVE-2022-30190]. - -|<> | 03 May 2022 | 42 | 341 | -This release includes new rules for MacOS regarding initial access and persistence coverage. -New rules to detect shell evasion in Linux have also been added. -Also included are expanded investigation guides for Windows rules as well as new rules for credential theft and Active Directory (AD). -Additionally, this update includes new rules to help detect the emerging threat https://www.elastic.co/blog/detecting-and-responding-to-dirty-pipe-with-elastic[CVE-2022-0847 (Dirty Pipe)] - -|<> | 13 Dec 2021 | 35 | 45 | -This release includes an update to an existing rule and adds a new rule to help detect https://www.elastic.co/blog/detecting-log4j2-with-elastic-security[CVE-2021-44228 (log4j2)]. -Also included are updates and new rules for cloud integrations, windows, PowerShell, and others. - -|<> | 15 Oct 2021 | 18 | 89 | -This release includes rules covering Windows endpoints, as well as several third-party integrations — including rules contributed by the community. - -|<> | 08 Sep 2021 | 3 | 71 | -Included in this release is a rule to detect web shells, including -https://discuss.elastic.co/t/detection-and-response-for-proxyshell-activity/282407[ProxyShell] activity. - -|<> | 22 Jul 2021 | 4 | 36 | -Included in this release is a rule for Windows Defender Exclusions, which has been used in recent campaigns, as well as -a rule to resiliently detect parent PID spoofing. - -|<> | 07 Jul 2021 | 15 | 6 | -Included in this release are 3 new rules for the recently observed -https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples[REvil] -activity as well as 4 new rules covering the recent -https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527[PrintNightmare] vulnerability. - -|<> | 21 Jun 2021 | 4 | 41 | - -|============================================== - - -include::downloadable-packages/0-13-1/prebuilt-rules-0-13-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-13-2/prebuilt-rules-0-13-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-13-3/prebuilt-rules-0-13-3-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-14-1/prebuilt-rules-0-14-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-14-2/prebuilt-rules-0-14-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/0-14-3/prebuilt-rules-0-14-3-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/1-0-2/prebuilt-rules-1-0-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-1-1/prebuilt-rules-8-1-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-2-1/prebuilt-rules-8-2-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-3-1/prebuilt-rules-8-3-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-3-2/prebuilt-rules-8-3-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-3-3/prebuilt-rules-8-3-3-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-3-4/prebuilt-rules-8-3-4-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-4-1/prebuilt-rules-8-4-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-4-2/prebuilt-rules-8-4-2-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-4-3/prebuilt-rules-8-4-3-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-5-1/prebuilt-rules-8-5-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-6-1/prebuilt-rules-8-6-1-summary.asciidoc[leveloffset=+1] -include::downloadable-packages/8-7-1/prebuilt-rules-8-7-1-summary.asciidoc[leveloffset=+1] +include::downloadable-packages/8-12-1/prebuilt-rules-8-12-1-summary.asciidoc[leveloffset=+1] diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc index 980b406671..edc1948fc6 100644 --- a/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc +++ b/docs/detections/prebuilt-rules/prebuilt-rules-reference.asciidoc @@ -14,1450 +14,2078 @@ and their rule type is `machine_learning`. |Rule |Description |Tags |Added |Version -|<> |Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |2 <> +|<> |Indicates the creation of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, move laterally, and/or escalate privileges. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |7 -|<> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.5.0 |2 <> +|<> |Indicates the update of a scheduled task using Windows event logs. Adversaries can use these to establish persistence, by changing the configuration of a legit scheduled task. Some changes such as disabling or enabling a scheduled task are common and may may generate noise. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence] |8.3.0 |8 -|<> |An adversary may attempt to access the secrets in secrets manager to steal certificates, credentials, or other sensitive material |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] [Credential Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Collection] |8.9.0 |206 -|<> |Identifies the creation of an AWS log trail that specifies the settings for delivery of log data. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] |7.9.0 |101 <> +|<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<> |Identifies the deletion of an AWS log trail. An adversary may delete trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<> |Identifies suspending the recording of AWS API calls and log file delivery for the specified trail. An adversary may suspend trails in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |208 -|<> |Identifies an update to an AWS log trail setting that specifies the delivery of log files. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<> |Identifies the deletion of an AWS CloudWatch alarm. An adversary may delete alarms in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |208 -|<> |Identifies the deletion of a specified AWS CloudWatch log group. When a log group is deleted, all the archived log events associated with the log group are also permanently deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Impact], [Resources: Investigation Guide] |8.9.0 |208 -|<> |Identifies the deletion of an AWS CloudWatch log stream, which permanently deletes all associated archived log events with the stream. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<> |Identifies attempts to delete an AWS Config Service resource. An adversary may tamper with Config services in order to reduce visibility into the security posture of an account and / or its workload instances. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |Identifies an AWS configuration change to stop recording a designated set of resources. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |This rule detects the use of system search utilities like grep and find to search for AWS credentials inside a container. Unauthorized access to these sensitive files could lead to further compromise of the container environment or facilitate a container breakout to the underlying cloud environment. |[Data Source: Elastic Defend for Containers], [Domain: Container], [OS: Linux], [Use Case: Threat Detection], [Tactic: Credential Access] |8.8.0 |1 -|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Aurora database cluster, global database cluster, or database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Impact] |8.9.0 |205 -|<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.9.0 |101 <> +|<> |Identifies disabling of Amazon Elastic Block Store (EBS) encryption by default in the current region. Disabling encryption by default does not change the encryption status of your existing volumes. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.14.0 |101 <> +|<> |Identifies potential Traffic Mirroring in an Amazon Elastic Compute Cloud (EC2) instance. Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an Elastic network interface. This feature can potentially be abused to exfiltrate sensitive data from unencrypted internal traffic. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Exfiltration], [Tactic: Collection] |8.9.0 |205 -|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the creation of an AWS Elastic Compute Cloud (EC2) network access control list (ACL) or an entry in a network ACL with a specified rule number. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the deletion of an Amazon Elastic Compute Cloud (EC2) network access control list (ACL) or one of its ingress/egress entries. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] [Investigation Guide] |7.9.0 |103 <> +|<> |An attempt was made to modify AWS EC2 snapshot attributes. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data from an EC2 fleet. If the permissions were modified, verify the snapshot was not shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Resources: Investigation Guide] |8.9.0 |208 -|<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies an attempt to export an AWS EC2 instance. A virtual machine (VM) export may indicate an attempt to extract or exfiltrate information. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration], [Tactic: Collection] |8.9.0 |205 -|<> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Data Protection] |7.16.0 |101 <> +|<> |Detects when an EFS File System or Mount is deleted. An adversary could break any file system using the mount target that is being deleted, which might disrupt instances or applications using those mounts. The mount must be deleted prior to deleting the File System, or the adversary will be unable to delete the File System. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<> |Identifies when an ElastiCache security group has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |101 <> +|<> |Identifies when an ElastiCache security group has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |Identifies when an ElastiCache security group has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.16.0 |101 <> +|<> |Identifies when an ElastiCache security group has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Impact] |7.16.0 |101 <> +|<> |Identifies when a user has disabled or deleted an EventBridge rule. This activity can result in an unintended loss of visibility in applications or a break in the flow with other AWS services. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Initial Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the execution of commands and scripts via System Manager. Execution methods such as RunShellScript, RunPowerShellScript, and alike can be abused by an authenticated attacker to install a backdoor or to interact with a compromised instance via reverse-shell using system only commands. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Initial Access], [Resources: Investigation Guide] |8.9.0 |208 -|<> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |Identifies the deletion of an Amazon GuardDuty detector. Upon deletion, GuardDuty stops monitoring the environment and all existing findings are lost. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies attempts to modify an AWS IAM Assume Role Policy. An adversary may attempt to modify the AssumeRolePolicy of a misconfigured role in order to gain the privileges of that role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.9.0 |208 -|<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies a high number of failed attempts to assume an AWS Identity and Access Management (IAM) role. IAM roles are used to delegate access to users or services. An adversary may attempt to enumerate IAM roles in order to determine if a role exists before attempting to assume or hijack the discovered role. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Credential Access] |8.9.0 |208 -|<> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deactivation of a specified multi-factor authentication (MFA) device and removes it from association with the user name for which it was originally enabled. In AWS Identity and Access Management (IAM), a device must be deactivated before it can be deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Resources: Investigation Guide], [Tactic: Impact] |8.9.0 |208 -|<> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |101 <> +|<> |Identifies the creation of a group in AWS Identity and Access Management (IAM). Groups specify permissions for multiple users. Any user in a group automatically has the permissions that are assigned to the group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.9.0 |101 <> +|<> |Identifies the deletion of a specified AWS Identity and Access Management (IAM) resource group. Deleting a resource group does not delete resources that are members of the group; it only deletes the group structure. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.9.0 |101 <> +|<> |Identifies AWS IAM password recovery requests. An adversary may attempt to gain unauthorized AWS access by abusing password recovery mechanisms. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Initial Access] |8.9.0 |205 -|<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Credential Access] [Persistence] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the addition of a user to a specified group in AWS Identity and Access Management (IAM). |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access], [Tactic: Persistence], [Resources: Investigation Guide] |8.9.0 |208 -|<> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Impact] |8.6.0 |1 +|<> |Identifies attempts to disable or schedule the deletion of an AWS KMS Customer Managed Key (CMK). Deleting an AWS KMS key is destructive and potentially dangerous. It deletes the key material and all metadata associated with the KMS key and is irreversible. After a KMS key is deleted, the data that was encrypted under that KMS key can no longer be decrypted, which means that data becomes unrecoverable. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Tactic: Impact] |8.9.0 |105 -|<> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.10.0 |101 <> +|<> |Identifies a high number of failed authentication attempts to the AWS management console for the Root user identity. An adversary may attempt to brute force the password for the Root user identity, as it has complete access to all services and resources for the AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Credential Access] |8.9.0 |205 -|<> |Identifies a successful login to the AWS Management Console by the Root user. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies a successful login to the AWS Management Console by the Root user. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Initial Access] |8.9.0 |208 -|<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies the creation of a new Amazon Relational Database Service (RDS) Aurora DB cluster or global database spread across multiple regions. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |7.14.0 |101 <> +|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Aurora database instance. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies that an Amazon Relational Database Service (RDS) cluster or instance has been stopped. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Impact] |8.9.0 |205 -|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |101 <> +|<> |Identifies the creation of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Monitoring] |7.14.0 |101 <> +|<> |Identifies the deletion of an Amazon Relational Database Service (RDS) Security group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Tactic: Impact] |8.9.0 |205 -|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Exfiltration] |7.16.0 |101 <> +|<> |Identifies the export of an Amazon Relational Database Service (RDS) Aurora database snapshot. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Exfiltration] |8.9.0 |205 -|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Defense Evasion] |7.16.0 |101 <> +|<> |Identifies when an attempt was made to restore an RDS Snapshot. Snapshots are sometimes shared by threat actors in order to exfiltrate bulk data or evade detection after performing malicious activities. If the permissions were modified, verify if the snapshot was shared with an unauthorized or unexpected AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] [Persistence] |8.3.0 |101 <> +|<> |Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies attempts to login to AWS as the root user without using multi-factor authentication (MFA). Amazon AWS best practices indicate that the root user should be protected by MFA. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Resources: Investigation Guide], [Tactic: Privilege Escalation] |8.9.0 |208 -|<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies when a transfer lock was removed from a Route 53 domain. It is recommended to refrain from performing this action unless intending to transfer the domain to a different registrar. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.14.0 |101 <> +|<> |Identifies when a request has been made to transfer a Route 53 domain to another AWS account. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies when an AWS Route Table has been created. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |101 <> +|<> |Identifies when an AWS Route Table has been created. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies when an AWS Route Table has been modified or deleted. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] [Persistence] |7.16.0 |101 <> +|<> |Identifies when an AWS Route Table has been modified or deleted. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.16.0 |101 <> +|<> |Identifies when a Route53 private hosted zone has been associated with VPC. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Asset Visibility] |7.9.0 |101 <> +|<> |Identifies the deletion of various Amazon Simple Storage Service (S3) bucket configuration components. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Asset Visibility], [Tactic: Defense Evasion] |8.9.0 |206 -|<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies when SAML activity has occurred in AWS. An adversary could manipulate SAML to maintain access to the target. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies the suspicious use of GetSessionToken. Tokens could be created and used by attackers to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.9.0 |205 -|<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.15.0 |101 <> +|<> |Identifies a change to an AWS Security Group Configuration. A security group is like a virtual firewall, and modifying configurations may allow unauthorized access. Threat actors may abuse this to establish persistence, exfiltrate data, or pivot in an AWS environment. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Persistence] |8.9.0 |205 -|<> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Identity and Access] |7.16.0 |101 <> +|<> |Identifies the use of AssumeRole. AssumeRole returns a set of temporary security credentials that can be used to access AWS resources. An adversary could use those credentials to move laterally and escalate privileges. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Identity and Access Audit], [Tactic: Privilege Escalation] |8.9.0 |205 -|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Log Auditing] [Investigation Guide] |7.9.0 |103 <> +|<> |Identifies the deletion of one or more flow logs in AWS Elastic Compute Cloud (EC2). An adversary may delete flow logs in an attempt to evade defenses. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Log Auditing], [Resources: Investigation Guide], [Tactic: Defense Evasion] |8.9.0 |208 -|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) access control list. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Elastic] [Cloud] [AWS] [Continuous Monitoring] [SecOps] [Network Security] |7.9.0 |101 <> +|<> |Identifies the deletion of a specified AWS Web Application Firewall (WAF) rule or rule group. |[Domain: Cloud], [Data Source: AWS], [Data Source: Amazon Web Services], [Use Case: Network Security Monitoring], [Tactic: Defense Evasion] |8.9.0 |205 -|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Elastic] [Host] [Linux] [Threat Detection] [Execution] [BPFDoor] [Investigation Guide] |8.3.0 |102 <> +|<> |Identifies the creation of a Process ID (PID), lock or reboot file created in temporary file storage paradigm (tmpfs) directory /var/run. On Linux, the PID files typically hold the process ID to track previous copies running and manage other tasks. Certain Linux malware use the /var/run directory for holding data, executables and other tasks, disguising itself or these files as legitimate PID files. |[Domain: Endpoint], [OS: Linux], [Use Case: Threat Detection], [Tactic: Execution], [Threat: BPFDoor], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.6.0 |211 -|<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Elastic] [Network] [Threat Detection] [Lateral Movement] [Investigation Guide] |7.10.0 |102 <> +|<> |Specially crafted DNS requests can manipulate a known overflow vulnerability in some Windows DNS servers, resulting in Remote Code Execution (RCE) or a Denial of Service (DoS) from crashing the service. |[Use Case: Threat Detection], [Tactic: Lateral Movement], [Resources: Investigation Guide], [Use Case: Vulnerability] |8.3.0 |105 -|<> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Elastic] [Host] [Network] [Threat Detection] [Command and Control] [Host] [Lateral Movement] [Initial Access] |7.6.0 |101 <> +|<> |This rule detects network events that may indicate the use of Telnet traffic. Telnet is commonly used by system administrators to remotely control older or embedded systems using the command line shell. It should almost never be directly exposed to the Internet, as it is frequently targeted and exploited by threat actors as an initial access or backdoor vector. As a plain-text protocol, it may also expose usernames and passwords to anyone capable of observing the traffic. |[Domain: Endpoint], [Use Case: Threat Detection], [Tactic: Command and Control], [Tactic: Lateral Movement], [Tactic: Initial Access] |8.3.0 |104 -|<> |Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.12.0 |100 <> +|<> |Identifies the execution of a process with arguments pointing to known browser files that store passwords and cookies. Adversaries may acquire credentials from web browsers by reading files specific to the target browser. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |106 -|<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Elastic] [Host] [macOS] [Threat Detection] [Credential Access] |7.10.0 |100 <> +|<> |Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes and certificates. |[Domain: Endpoint], [OS: macOS], [Use Case: Threat Detection], [Tactic: Credential Access], [Data Source: Elastic Defend] |8.3.0 |106 -|<> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Elastic] [Host] [Windows] [Threat Detection] [Credential Access] [Active Directory] |8.6.0 |1 +|<> |Identify access to sensitive Active Directory object attributes that contains credentials and decryption keys such as unixUserPassword, ms-PKI-AccountCredentials and msPKI-CredentialRoamingTokens. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Credential Access], [Tactic: Privilege Escalation], [Use Case: Active Directory Monitoring], [Data Source: Active Directory] |8.3.0 |9 -|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] [Active Directory] [Investigation Guide] |8.2.0 |102 <> +|<> |Identifies commands containing references to Outlook data files extensions, which can potentially indicate the search, access, or modification of these files. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Collection], [Data Source: Elastic Defend], [Rule Type: BBR] |8.3.0 |1 -|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [Investigation Guide] |7.7.0 |102 <> +|<> |Detects the creation and modification of an account with the "Don't Expire Password" option Enabled. Attackers can abuse this misconfiguration to persist in the domain and maintain long-term access using compromised accounts with this property. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Data Source: Active Directory], [Resources: Investigation Guide], [Use Case: Active Directory Monitoring] |8.3.0 |108 -|<> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Elastic] [Host] [Windows] [Threat Detection] [Persistence] |8.0.0 |101 <> +|<> |Identifies when the SYSTEM account uses an account discovery utility. This could be a sign of discovery activity after an adversary has achieved privilege escalation. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Discovery], [Tactic: Privilege Escalation], [Resources: Investigation Guide], [Data Source: Elastic Defend] |8.3.0 |108 -|<> |This rule detects the Active Directory query tool, AdFind.exe. AdFind has legitimate purposes, but it is frequently leveraged by threat actors to perform post-exploitation Active Directory reconnaissance. The AdFind tool has been observed in Trickbot, Ryuk, Maze, and FIN6 campaigns. For Winlogbeat, this rule requires Sysmon. |[Elastic] [Host] [Windows] [Threat Detection] [Discovery] [Investigation Guide] [Elastic Endgame] |7.11.0 |102 <> +|<> |Identifies an attempt to reset a potentially privileged account password remotely. Adversaries may manipulate account passwords to maintain access or evade password duration policies and preserve compromised credentials. |[Domain: Endpoint], [OS: Windows], [Use Case: Threat Detection], [Tactic: Persistence], [Tactic: Impact] |8.3.0 |107 -|<