Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update 50 detections #2863

Merged
merged 6 commits into from
Oct 13, 2023
Merged

Update 50 detections #2863

merged 6 commits into from
Oct 13, 2023

Conversation

gowthamarajr
Copy link
Collaborator

Details

Updated description for the below detections:

  1. Azure AD Privileged Role Assigned to Service Principal
  2. Access LSASS Memory for Dump Creation
  3. Detect Windows DNS SIGRed via Splunk Stream
  4. Attempt To Add Certificate To Untrusted Store
  5. Correlation by Repository and Risk
  6. Correlation by User and Risk
  7. Script Execution via WMI
  8. Detect Baron Samedit CVE-2021-3156 Segfault
  9. Detect Baron Samedit CVE-2021-3156 via OSQuery
  10. Detect Baron Samedit CVE-2021-3156
  11. GitHub Pull Request from Unknown User
  12. GitHub Dependabot Alert
  13. Create Remote Thread into LSASS
  14. Cloud Compute Instance Created With Previously Unseen Instance Type
  15. Circle CI Disable Security Job
  16. Circle CI Disable Security Step
  17. O365 New Federated Domain Added
  18. Dump LSASS via comsvcs DLL
  19. Cloud API Calls From Previously Unseen User Roles
  20. Detect Credential Dumping through LSASS access
  21. WMI Permanent Event Subscription
  22. WMI Temporary Event Subscription
  23. Detect Windows DNS SIGRed via Zeek
  24. Amazon EKS Kubernetes Pod scan detection
  25. Windows AD Domain Controller Audit Policy Disabled
  26. Common Ransomware Extensions
  27. Attempt To Stop Security Service
  28. Credential Dumping via Copy Command from Shadow Copy
  29. Suspicious Email Attachment Extensions
  30. Credential Dumping via Symlink to Shadow Copy
  31. Linux Decode Base64 to Shell
  32. Create local admin accounts using net exe
  33. Attacker Tools On Endpoint
  34. Supernova Webshell
  35. Web Servers Executing Suspicious Processes
  36. Create or delete windows shares using net exe
  37. Single Letter Process On Endpoint
  38. Detect New Local Admin account
  39. O365 Suspicious User Email Forwarding
  40. Cloud Compute Instance Created With Previously Unseen Image
  41. File with Samsam Extension
  42. Short Lived Windows Accounts
  43. SQL Injection with Long URLs
  44. Suspicious writes to windows Recycle Bin
  45. Remcos client registry install entry
  46. Creation of Shadow Copy with wmic and powershell
  47. Detect Zerologon via Zeek
  48. Unusually Long Command Line
  49. Windows Service Creation Using Registry Entry
  50. SMB Traffic Spike

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.

@patel-bhavin patel-bhavin changed the base branch from develop to release_v4.14.0 October 11, 2023 19:04
patel-bhavin
patel-bhavin approved these changes Oct 13, 2023
View reviewed changes
Copy link
Contributor

@patel-bhavin patel-bhavin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image
Tested on ES!!

@patel-bhavin patel-bhavin merged commit 3d994b2 into release_v4.14.0 Oct 13, 2023
26 checks passed
@delete-merged-branch delete-merged-branch bot deleted the update_50_detections branch October 13, 2023 18:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin approved these changes

@P4T12ICK P4T12ICK Awaiting requested review from P4T12ICK P4T12ICK is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gowthamarajr @patel-bhavin @srv-rr-gh-researchbt