detection-rules
detection-rules copied to clipboard
elastic
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that use string reordering and runtime reconstruction techniques as a form of obfuscation. These methods are designed to evade static...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that use string concatenation as a form of obfuscation. These methods are designed to evade static analysis and bypass security...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that use character arrays and runtime string reconstruction as a form of obfuscation. This technique breaks strings into individual characters,...
# Pull Request *Issue link(s)*: Resolves https://github.com/elastic/detection-rules/issues/4566 ## Summary - What I changed This PR fixes a bug where there was a missing default value if there where no new_terms...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts with an abnormally high proportion of non-alphanumeric characters, often resulting from encoding, string mangling, or dynamic code generation. High volume...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that use backtick-escaped characters inside ${} variable expansion as a form of obfuscation. These methods are designed to evade static...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts with a disproportionately high number of numeric characters, often indicating the presence of obfuscated or encoded payloads. This behavior is...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts with an unusually high proportion of whitespace and special characters, often indicative of obfuscation. This behavior is commonly associated with...
# Pull Request *Issue link(s)*: * https://github.com/elastic/ia-trade-team/issues/585 ## Summary - What I changed Adds detection coverage for `AWS STS Temporary IAM Session Token Used from Multiple Addresses`. Identified via ByBit/SafeWallet...
## Issues Part of https://github.com/elastic/ia-trade-team/issues/533 ## Summary Identifies PowerShell scripts that reconstruct the IEX (Invoke-Expression) command at runtime using indexed slices of environment variables. This technique leverages character access and...