Skip to content

Commit 5d29dc9

Browse files
terrancedejesusterrancedejesus
authored
[Detection Rules][8.6] Add detection rule security document updates (#2761)
* updating pre-existing pre-built detection rule security docs with newly generated * adjusted link to os-query investigation guides
1 parent d2634a6 commit 5d29dc9

File tree

465 files changed

+217146
-2128
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

465 files changed

+217146
-2128
lines changed

docs/detections/prebuilt-rules/prebuilt-rules-changelog.asciidoc

+108-17
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,101 @@ The following lists prebuilt rule updates per release. Only rules with
55
significant modifications to their query or scope are listed. For detailed
66
information about a rule's changes, see the rule's description page.
77

8+
[float]
9+
=== 8.6.0
10+
11+
<<a-scheduled-task-was-created>>
12+
13+
<<a-scheduled-task-was-updated>>
14+
15+
<<abnormal-process-id-or-lock-file-created>>
16+
17+
<<accepted-default-telnet-port-connection>>
18+
19+
<<account-password-reset-remotely>>
20+
21+
<<adversary-behavior-detected-elastic-endgame>>
22+
23+
<<clearing-windows-console-history>>
24+
25+
<<component-object-model-hijacking>>
26+
27+
<<connection-to-commonly-abused-web-services>>
28+
29+
<<creation-or-modification-of-root-certificate>>
30+
31+
<<file-transfer-or-listener-established-via-netcat>>
32+
33+
<<kubernetes-anonymous-request-authorized>>
34+
35+
<<kubernetes-exposed-service-created-with-type-nodeport>>
36+
37+
<<kubernetes-pod-created-with-hostipc>>
38+
39+
<<kubernetes-pod-created-with-hostnetwork>>
40+
41+
<<kubernetes-pod-created-with-hostpid>>
42+
43+
<<kubernetes-pod-created-with-a-sensitive-hostpath-volume>>
44+
45+
<<kubernetes-privileged-pod-created>>
46+
47+
<<kubernetes-suspicious-assignment-of-controller-service-account>>
48+
49+
<<kubernetes-suspicious-self-subject-review>>
50+
51+
<<kubernetes-user-exec-into-pod>>
52+
53+
<<ms-office-macro-security-registry-modifications>>
54+
55+
<<modification-of-amsienable-registry-key>>
56+
57+
<<modification-of-wdigest-security-provider>>
58+
59+
<<network-logon-provider-registry-modification>>
60+
61+
<<nullsessionpipe-registry-modification>>
62+
63+
<<port-forwarding-rule-addition>>
64+
65+
<<potential-application-shimming-via-sdbinst>>
66+
67+
<<potential-process-herpaderping-attempt>>
68+
69+
<<potential-remote-credential-access-via-registry>>
70+
71+
<<potential-shadow-credentials-added-to-ad-object>>
72+
73+
<<potential-shadow-file-read-via-command-line-utilities>>
74+
75+
<<powershell-script-block-logging-disabled>>
76+
77+
<<process-creation-via-secondary-logon>>
78+
79+
<<process-termination-followed-by-deletion>>
80+
81+
<<remote-computer-account-dnshostname-update>>
82+
83+
<<sip-provider-modification>>
84+
85+
<<scheduled-tasks-at-command-enabled>>
86+
87+
<<solarwinds-process-disabling-services-via-registry>>
88+
89+
<<suspicious-file-creation-in-etc-for-persistence>>
90+
91+
<<suspicious-powershell-engine-imageload>>
92+
93+
<<suspicious-wmi-image-load-from-ms-office>>
94+
95+
<<system-log-file-deletion>>
96+
97+
<<temporarily-scheduled-task-creation>>
98+
99+
<<windows-defender-disabled-via-registry-modification>>
100+
101+
<<windows-registry-file-creation-in-smb-share>>
102+
8103
[float]
9104
=== 8.5.0
10105

@@ -409,8 +504,6 @@ information about a rule's changes, see the rule's description page.
409504

410505
<<gcp-iam-service-account-key-deletion>>
411506

412-
<<gcp-kubernetes-rolebindings-created-or-patched>>
413-
414507
<<gcp-logging-bucket-deletion>>
415508

416509
<<gcp-logging-sink-deletion>>
@@ -730,8 +823,6 @@ information about a rule's changes, see the rule's description page.
730823

731824
<<disabling-user-account-control-via-registry-modification>>
732825

733-
<<gcp-kubernetes-rolebindings-created-or-patched>>
734-
735826
<<installation-of-security-support-provider>>
736827

737828
<<kerberos-traffic-from-unusual-process>>
@@ -930,6 +1021,8 @@ information about a rule's changes, see the rule's description page.
9301021
[float]
9311022
=== 7.14.0
9321023

1024+
<<accepted-default-telnet-port-connection>>
1025+
9331026
<<apple-script-execution-followed-by-network-connection>>
9341027

9351028
<<attempts-to-brute-force-a-microsoft-365-user-account>>
@@ -1014,8 +1107,6 @@ information about a rule's changes, see the rule's description page.
10141107

10151108
<<suspicious-powershell-engine-imageload>>
10161109

1017-
<<telnet-port-activity>>
1018-
10191110
<<unusual-network-connection-via-rundll32>>
10201111

10211112
<<vnc-virtual-network-computing-from-the-internet>>
@@ -1237,7 +1328,7 @@ information about a rule's changes, see the rule's description page.
12371328

12381329
<<user-account-creation>>
12391330

1240-
<<user-added-to-privileged-group-in-active-directory>>
1331+
<<user-added-to-privileged-group>>
12411332

12421333
<<volume-shadow-copy-deleted-or-resized-via-vssadmin>>
12431334

@@ -1564,14 +1655,14 @@ information about a rule's changes, see the rule's description page.
15641655

15651656
<<direct-outbound-smb-connection>>
15661657

1658+
<<file-transfer-or-listener-established-via-netcat>>
1659+
15671660
<<microsoft-build-engine-using-an-alternate-name>>
15681661

15691662
<<modification-or-removal-of-an-okta-application-sign-on-policy>>
15701663

15711664
<<msbuild-making-network-connections>>
15721665

1573-
<<netcat-network-activity>>
1574-
15751666
<<network-connection-via-certutil>>
15761667

15771668
<<network-connection-via-compiled-html-file>>
@@ -1611,6 +1702,8 @@ information about a rule's changes, see the rule's description page.
16111702
[float]
16121703
=== 7.9.0
16131704

1705+
<<accepted-default-telnet-port-connection>>
1706+
16141707
<<account-discovery-command-via-system-account>>
16151708

16161709
<<adding-hidden-file-attribute-via-attrib>>
@@ -1645,6 +1738,8 @@ information about a rule's changes, see the rule's description page.
16451738

16461739
<<file-permission-modification-in-writable-directory>>
16471740

1741+
<<file-transfer-or-listener-established-via-netcat>>
1742+
16481743
<<hping-process-activity>>
16491744

16501745
<<ipsec-nat-traversal-port-activity>>
@@ -1671,8 +1766,6 @@ information about a rule's changes, see the rule's description page.
16711766

16721767
<<msbuild-making-network-connections>>
16731768

1674-
<<netcat-network-activity>>
1675-
16761769
<<network-connection-via-certutil>>
16771770

16781771
<<network-connection-via-compiled-html-file>>
@@ -1723,8 +1816,6 @@ information about a rule's changes, see the rule's description page.
17231816

17241817
<<system-shells-via-services>>
17251818

1726-
<<telnet-port-activity>>
1727-
17281819
<<unusual-network-connection-via-rundll32>>
17291820

17301821
<<unusual-parent-child-relationship>>
@@ -1792,6 +1883,8 @@ These prebuilt rules have been updated:
17921883

17931884
<<exploit-prevented-elastic-endgame>>
17941885

1886+
<<file-transfer-or-listener-established-via-netcat>>
1887+
17951888
<<hping-process-activity>>
17961889

17971890
<<local-scheduled-task-creation>>
@@ -1802,8 +1895,6 @@ These prebuilt rules have been updated:
18021895

18031896
<<msbuild-making-network-connections>>
18041897

1805-
<<netcat-network-activity>>
1806-
18071898
<<network-connection-via-compiled-html-file>>
18081899

18091900
<<network-connection-via-registration-utility>>
@@ -1874,6 +1965,8 @@ These prebuilt rules have been updated:
18741965
[float]
18751966
=== 7.6.1
18761967

1968+
<<accepted-default-telnet-port-connection>>
1969+
18771970
<<ipsec-nat-traversal-port-activity>>
18781971

18791972
<<potential-shell-via-web-server>>
@@ -1888,8 +1981,6 @@ These prebuilt rules have been updated:
18881981

18891982
<<smtp-on-port-26-tcp>>
18901983

1891-
<<telnet-port-activity>>
1892-
18931984
<<vnc-virtual-network-computing-from-the-internet>>
18941985

18951986
<<vnc-virtual-network-computing-to-the-internet>>

0 commit comments

Comments
 (0)