[Detection Rules][8.6] Add detection rule security document updates (#…

…2761) * updating pre-existing pre-built detection rule security docs with newly generated * adjusted link to os-query investigation guides
elastic · Dec 5, 2022 · 5d29dc9 · 5d29dc9
1 parent d2634a6
commit 5d29dc9
Show file tree

Hide file tree

Showing 465 changed files with 217,146 additions and 2,128 deletions.
diff --git a/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc b/docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc
@@ -5,6 +5,101 @@ The following lists prebuilt rule updates per release. Only rules with
 significant modifications to their query or scope are listed. For detailed
 information about a rule's changes, see the rule's description page.
 
+[float]
+=== 8.6.0
+
+<<a-scheduled-task-was-created>>
+
+<<a-scheduled-task-was-updated>>
+
+<<abnormal-process-id-or-lock-file-created>>
+
+<<accepted-default-telnet-port-connection>>
+
+<<account-password-reset-remotely>>
+
+<<adversary-behavior-detected-elastic-endgame>>
+
+<<clearing-windows-console-history>>
+
+<<component-object-model-hijacking>>
+
+<<connection-to-commonly-abused-web-services>>
+
+<<creation-or-modification-of-root-certificate>>
+
+<<file-transfer-or-listener-established-via-netcat>>
+
+<<kubernetes-anonymous-request-authorized>>
+
+<<kubernetes-exposed-service-created-with-type-nodeport>>
+
+<<kubernetes-pod-created-with-hostipc>>
+
+<<kubernetes-pod-created-with-hostnetwork>>
+
+<<kubernetes-pod-created-with-hostpid>>
+
+<<kubernetes-pod-created-with-a-sensitive-hostpath-volume>>
+
+<<kubernetes-privileged-pod-created>>
+
+<<kubernetes-suspicious-assignment-of-controller-service-account>>
+
+<<kubernetes-suspicious-self-subject-review>>
+
+<<kubernetes-user-exec-into-pod>>
+
+<<ms-office-macro-security-registry-modifications>>
+
+<<modification-of-amsienable-registry-key>>
+
+<<modification-of-wdigest-security-provider>>
+
+<<network-logon-provider-registry-modification>>
+
+<<nullsessionpipe-registry-modification>>
+
+<<port-forwarding-rule-addition>>
+
+<<potential-application-shimming-via-sdbinst>>
+
+<<potential-process-herpaderping-attempt>>
+
+<<potential-remote-credential-access-via-registry>>
+
+<<potential-shadow-credentials-added-to-ad-object>>
+
+<<potential-shadow-file-read-via-command-line-utilities>>
+
+<<powershell-script-block-logging-disabled>>
+
+<<process-creation-via-secondary-logon>>
+
+<<process-termination-followed-by-deletion>>
+
+<<remote-computer-account-dnshostname-update>>
+
+<<sip-provider-modification>>
+
+<<scheduled-tasks-at-command-enabled>>
+
+<<solarwinds-process-disabling-services-via-registry>>
+
+<<suspicious-file-creation-in-etc-for-persistence>>
+
+<<suspicious-powershell-engine-imageload>>
+
+<<suspicious-wmi-image-load-from-ms-office>>
+
+<<system-log-file-deletion>>
+
+<<temporarily-scheduled-task-creation>>
+
+<<windows-defender-disabled-via-registry-modification>>
+
+<<windows-registry-file-creation-in-smb-share>>
+
 [float]
 === 8.5.0
 
@@ -409,8 +504,6 @@ information about a rule's changes, see the rule's description page.
 
 <<gcp-iam-service-account-key-deletion>>
 
-<<gcp-kubernetes-rolebindings-created-or-patched>>
-
 <<gcp-logging-bucket-deletion>>
 
 <<gcp-logging-sink-deletion>>
@@ -730,8 +823,6 @@ information about a rule's changes, see the rule's description page.
 
 <<disabling-user-account-control-via-registry-modification>>
 
-<<gcp-kubernetes-rolebindings-created-or-patched>>
-
 <<installation-of-security-support-provider>>
 
 <<kerberos-traffic-from-unusual-process>>
@@ -930,6 +1021,8 @@ information about a rule's changes, see the rule's description page.
 [float]
 === 7.14.0
 
+<<accepted-default-telnet-port-connection>>
+
 <<apple-script-execution-followed-by-network-connection>>
 
 <<attempts-to-brute-force-a-microsoft-365-user-account>>
@@ -1014,8 +1107,6 @@ information about a rule's changes, see the rule's description page.
 
 <<suspicious-powershell-engine-imageload>>
 
-<<telnet-port-activity>>
-
 <<unusual-network-connection-via-rundll32>>
 
 <<vnc-virtual-network-computing-from-the-internet>>
@@ -1237,7 +1328,7 @@ information about a rule's changes, see the rule's description page.
 
 <<user-account-creation>>
 
-<<user-added-to-privileged-group-in-active-directory>>
+<<user-added-to-privileged-group>>
 
 <<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
 
@@ -1564,14 +1655,14 @@ information about a rule's changes, see the rule's description page.
 
 <<direct-outbound-smb-connection>>
 
+<<file-transfer-or-listener-established-via-netcat>>
+
 <<microsoft-build-engine-using-an-alternate-name>>
 
 <<modification-or-removal-of-an-okta-application-sign-on-policy>>
 
 <<msbuild-making-network-connections>>
 
-<<netcat-network-activity>>
-
 <<network-connection-via-certutil>>
 
 <<network-connection-via-compiled-html-file>>
@@ -1611,6 +1702,8 @@ information about a rule's changes, see the rule's description page.
 [float]
 === 7.9.0
 
+<<accepted-default-telnet-port-connection>>
+
 <<account-discovery-command-via-system-account>>
 
 <<adding-hidden-file-attribute-via-attrib>>
@@ -1645,6 +1738,8 @@ information about a rule's changes, see the rule's description page.
 
 <<file-permission-modification-in-writable-directory>>
 
+<<file-transfer-or-listener-established-via-netcat>>
+
 <<hping-process-activity>>
 
 <<ipsec-nat-traversal-port-activity>>
@@ -1671,8 +1766,6 @@ information about a rule's changes, see the rule's description page.
 
 <<msbuild-making-network-connections>>
 
-<<netcat-network-activity>>
-
 <<network-connection-via-certutil>>
 
 <<network-connection-via-compiled-html-file>>
@@ -1723,8 +1816,6 @@ information about a rule's changes, see the rule's description page.
 
 <<system-shells-via-services>>
 
-<<telnet-port-activity>>
-
 <<unusual-network-connection-via-rundll32>>
 
 <<unusual-parent-child-relationship>>
@@ -1792,6 +1883,8 @@ These prebuilt rules have been updated:
 
 <<exploit-prevented-elastic-endgame>>
 
+<<file-transfer-or-listener-established-via-netcat>>
+
 <<hping-process-activity>>
 
 <<local-scheduled-task-creation>>
@@ -1802,8 +1895,6 @@ These prebuilt rules have been updated:
 
 <<msbuild-making-network-connections>>
 
-<<netcat-network-activity>>
-
 <<network-connection-via-compiled-html-file>>
 
 <<network-connection-via-registration-utility>>
@@ -1874,6 +1965,8 @@ These prebuilt rules have been updated:
 [float]
 === 7.6.1
 
+<<accepted-default-telnet-port-connection>>
+
 <<ipsec-nat-traversal-port-activity>>
 
 <<potential-shell-via-web-server>>
@@ -1888,8 +1981,6 @@ These prebuilt rules have been updated:
 
 <<smtp-on-port-26-tcp>>
 
-<<telnet-port-activity>>
-
 <<vnc-virtual-network-computing-from-the-internet>>
 
 <<vnc-virtual-network-computing-to-the-internet>>