security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,690 Commits 1 Branch 0 Tags
0308e32ea00a8ba0dcc5d214b1fae6ec31ef1a82
Commit Graph

43 Commits

Author SHA1 Message Date
Jonhnathan 788f2ce884 [Rule Tuning] PowerShell Rules Tuning (#3169) 
(cherry picked from commit 3f2a709370)
 2023-10-11 21:03:44 +00:00
Justin Ibarra 7c563fb834 [New Rule] File Compressed or Archived into Common Format (#3173) 
* [New Rule] File Compressed or Archived into Common Format
* new build-threat-map-entry-command

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 7f8a9849c4)
 2023-10-11 18:40:16 +00:00
Ruben Groenewoud f66b82c0ec [Tuning] Windows Execution Rule Tuning for UEBA (#3107) 
* Update defense_evasion_execution_msbuild_started_by_script.toml

* Mostly updated Execution tags, also new_terms conv

* removed index

* Removed index

* WMIPrvSE tuning

* Additional tuning

* Tuning & changes

* Additional tuning

* Applied unit test optimization

* Addressed feedback

* Update rules/windows/execution_command_shell_started_by_svchost.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* caseless unit testing fix

* fixed caseless executable unit test

* unit testing fix

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml

* Added user ids to new terms

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/execution_unsigned_service_executable.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update execution_unsigned_service_executable.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit c2822e175c)
 2023-10-11 08:21:37 +00:00
Ruben Groenewoud d4d794b586 [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 4cdf52129a)
 2023-10-11 07:49:08 +00:00
Ruben Groenewoud dd080b7850 [New BBR] Sus. Process Started via tmux or screen (#3071) 
* [New BBR] Sus. Process Started via tmux or screen

* [New BBR] Unix Socket Connection

* Revert "[New BBR] Unix Socket Connection"

This reverts commit 92a0b09e8c505bceb1025124658bb4233d5d19d9.

* Update rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 8f122197bb)
 2023-09-30 11:02:39 +00:00
Jonhnathan 7cb4c5216d [New Rule] [BBR] File with Suspicious Extension Downloaded (#3139) 
* [New Rule] [BBR] File with Suspicious Extension Downloaded

* Update defense_evasion_download_susp_extension.toml

(cherry picked from commit f77bec8552)
 2023-09-27 15:43:02 +00:00
Jonhnathan 711e0f3ab7 [New Rule] New BBR Rules - Part 2 (#3029) 
* [New Rule] New BBR Rules - Part 2

* Update discovery_generic_account_groups.toml

* Update discovery_generic_account_groups.toml

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/execution_downloaded_shortcut_files.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/defense_evasion_unusual_process_extension.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update defense_evasion_unusual_process_extension.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ddb1f75352)
 2023-09-13 00:54:52 +00:00
Jonhnathan 4b2112f4a0 [New Rule] New BBR Rules - Part 3 (#3034) 
* [New Rule] New BBR Rules - Part 3

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit af99186992)
 2023-09-13 00:34:12 +00:00
Jonhnathan e9b1ebae3f [New Rule] New BBR Rules - Part 5 (#3052) 
* [New Rule] New BBR Rules - Part 5

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Tag work

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 3614f42b00)
 2023-09-05 21:42:38 +00:00
Jonhnathan 521ecdc6c4 [New Rule] New BBR Rules - Part 1 (#3026) 
* [New Rule] New BBR Rules - Part 1

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/lateral_movement_at.toml

* Update rules_building_block/collection_outlook_email_archive.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 8049c96281)
 2023-09-05 21:14:06 +00:00
Jonhnathan 56e54e714c [New Rule] Potential Masquerading as Business App Installer (#3068) 
(cherry picked from commit 26c97dc241)
 2023-09-05 21:04:26 +00:00
Jonhnathan 063386829c [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit 4233fef238)
 2023-09-05 18:28:40 +00:00
Jonhnathan 6c074f21d8 [New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015) 
* [New Rule] WRITEDAC Access on Active Directory Object

* Update defense_evasion_write_dac_access.toml

* Fix Setup Instructions

* Update defense_evasion_write_dac_access.toml

* Update rules_building_block/defense_evasion_write_dac_access.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit fdd45148b8)
 2023-08-31 16:04:58 +00:00
Ruben Groenewoud 3926384446 [New Rules] GDB Secret Dumping (#3060) 
* [New Rules] GDB Secret Dumping

* Added references to BBR

* Update rules/linux/credential_access_gdb_init_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

* Update rules_building_block/credential_access_gdb_memory_dump.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit f7d8d4752a)
 2023-08-31 15:47:30 +00:00
Ruben Groenewoud 7b5897bad4 [New BBR] Suspicious which Enumeration (#3059) 
(cherry picked from commit 04d1c3cd5b)
 2023-08-31 12:01:57 +00:00
Jonhnathan dee3a5f61c [New Rule] Suspicious Communication App Child Process (#2998) 
* [New Rule] Suspicious Communication App Child Process

* Update defense_evasion_communication_apps_suspicious_child_process.toml

* Update rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit c89b722a34)
 2023-08-31 10:38:57 +00:00
Jonhnathan ae1f704845 [New Rule] Potential Masquerading as VLC DLL (#3006) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit a7a22a0917)
 2023-08-30 20:51:39 +00:00
Ruben Groenewoud 1da5bca492 [New Rules] Linux Tunneling and Port Forwarding (#3028) 
* Removed iodine rule due to new tunneling rule

* [New Rules] Linux Tunneling and Port Forwarding

* added ash

* Fixed description styling

* Changed rule name

* Update command_and_control_linux_suspicious_proxychains_activity.toml

* Added deprecation note & name change

* Changed deprecation status

* Removed deprecation date

* Fixed unit testing

* Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 32abdb95f7)
 2023-08-30 20:17:43 +00:00
Jonhnathan 374ac8ad1c [New Rule] Unusual Process For MSSQL Service Accounts (#3040) 
* [New Rule] Unusual Process For MSSQL Service Accounts

* Update initial_access_unusual_process_sql_accounts.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update collection_archive_data_zip_imageload.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

added   "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 7004c99ef5)
 2023-08-29 12:16:12 +00:00
Jonhnathan 154ee50051 [New Rule] New BBR Rules - Part 4 (#3035) 
* [New Rule] New BBR Rules - Part 4

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 0e337e2c36)
 2023-08-29 11:55:07 +00:00
Jonhnathan 520a670568 [New Rule] Potential Masquerading as Browser Process (#2995) 
* [New Rule] Potential Masquerading as Browser Process

* Update rules_building_block/defense_evasion_masquerading_browsers.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update defense_evasion_masquerading_browsers.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 9f213cc9f7)
 2023-08-28 16:34:26 +00:00
Jonhnathan 112e2f2864 [New Rule] Potential Masquerading as Windows System32 DLL (#3021) 
* [New Rule] Potential Masquerading as Windows System32 DLL

* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_dll.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Restrict logic

* Update defense_evasion_masquerading_windows_dll.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 7496c5cb68)
 2023-08-28 11:37:53 +00:00
Jonhnathan f00a14c3af [New Rule] Network-Level Authentication (NLA) Disabled (#3039) 
* [New Rule] Network-Level Authentication (NLA) Disabled

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit ffa60f2d03)
 2023-08-28 11:11:26 +00:00
shashank-elastic 8aad7d7d02 BBR Rules Addition (#3027) 
(cherry picked from commit d21ed24e4f)
 2023-08-25 13:45:51 +00:00
Ruben Groenewoud ed2daecb25 [Rule Tuning] Several rule tunings (#3024) 
* [Rule Tuning] Several rule tunings

* Added 1 more

* optimized ransomware encryption rules

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/impact_potential_linux_ransomware_note_detected.toml

* Added 2 more tunings based on todays telemetry

* Some tunings

* Tuning

* Tuning

* fixed user.id comparison

* Something went wrong with deprecation

* Something went wrong with deprecation

* Update rules/linux/impact_potential_linux_ransomware_file_encryption.toml

* Update rules/linux/discovery_linux_nping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/linux/discovery_linux_hping_activity.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Dedeprecated the rule to deprecate later

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit a1716bd673)
 2023-08-25 12:09:16 +00:00
Jonhnathan a16735676f [Rule Tuning] Windows BBR Rules (#3018) 
* [Rule Tuning] Windows BBR Rules

* Update discovery_generic_process_discovery.toml

(cherry picked from commit 17f6537e44)
 2023-08-25 08:26:51 +00:00
Jonhnathan 38aca58b17 [Rule Tuning] Compression DLL Loaded by Unusual Process (#3017) 
(cherry picked from commit 460919a9d7)
 2023-08-25 08:14:13 +00:00
Jonhnathan 37ff018674 [New Rule] Potential Masquerading as Windows System32 Executable (#3022) 
* [New Rule] Potential Masquerading as Windows System32 Executable

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_masquerading_windows_system32_exe.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit f8df53626e)
 2023-08-21 18:20:06 +00:00
Jonhnathan 7c4ca0a4a3 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 9144dc0448)
 2023-08-17 16:06:41 +00:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Jonhnathan 2393190edf [New Rule] PowerShell Script with Webcam Video Capture Capabilities (#2935) 
* [New Rule] PowerShell Script with Webcam Video Capture Capabilities

* Update collection_posh_webcam_video_capture.toml

* Update rules_building_block/collection_posh_webcam_video_capture.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
 2023-08-09 15:17:15 -03:00
Ruben Groenewoud ef1fa94c52 [New BBR] Suspicious Clipboard Activity (#2970) 
* [New BBR] Suspicious Clipboard Activity

* Added new line to end of file

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/collection_linux_suspicious_clipboard_activity.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
 2023-08-03 15:41:23 +02:00
Jonhnathan d1db3a0048 [New Rule] Building Block Rules - Part 4 (#2926) 
* [New Rule] Building Block Rules - Part 4

* Update discovery_win_network_connections.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update rules_building_block/discovery_win_network_connections.toml

* Update rules_building_block/privilege_escalation_unquoted_service_path.toml

* Rename lateral_movement_net_share_discovery_winlog.toml to discovery_net_share_discovery_winlog.toml

* Update discovery_net_share_discovery_winlog.toml
 2023-07-31 11:03:57 -03:00
Jonhnathan 6966a6df09 [New Rule] Building Block Rules - Part 3 (#2924) 
* [New Rule] Building Block Rules - Part 3

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Update defense_evasion_generic_deletion.toml

* Apply suggestions from code review

* Update rules_building_block/discovery_generic_account_groups.toml

* Apply suggestions from code review

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-07-31 10:28:25 -03:00
Mika Ayenson 3813a08f59 [FR] Add support for BBR rules to the rule loader (#2968) 
---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-07-27 11:27:04 -05:00
Ruben Groenewoud 9cc4b0e348 [New BBR] Potential Suspicious File Edit (#2960) 
* [New BBR] Potential Suspicious File Edit

* Added a few more interesting files

---------

Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>
 2023-07-26 15:22:56 +02:00
shashank-elastic 93845626b7 Potential Cross Site Scripting ( XSS ) (#2922) 2023-07-20 19:12:00 +05:30
shashank-elastic 8b808b9b83 New Cross Platform BBR Rules (#2920) 2023-07-19 21:27:23 +05:30
shashank-elastic f920bc6151 New Linux BBR Rules (#2917) 2023-07-19 20:12:59 +05:30
Jonhnathan 7949b8a03e [New Rule] Building Block Rules - Part 1 (#2912) 
* [New Rule] Building Block Rules - Part 1

* Update defense_evasion_powershell_clear_logs_script.toml

* Update discovery_posh_generic.toml

* .

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-18 20:01:43 -03:00
Jonhnathan ff2c951136 [New Rule] Potential Masquerading as Communication Apps (#2780) 
* [New Rule] Potential Masquerading as Communication Apps

* ocd

* Update defense_evasion_masquerading_communication_apps.toml

* Update defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Update rules/windows/defense_evasion_masquerading_communication_apps.toml

* Apply suggestions from code review

* Merge branch 'main' into comms_masquerade

* Move to BBR folder

* Revert "Merge branch 'main' into comms_masquerade"

This reverts commit 726c63c0cab782a83d9f505e54e55d4edd1f5589.
 2023-06-30 11:46:54 -03:00
Jonhnathan 5da2771c12 [New Rule] [BBR] Expired or Revoked Driver Loaded (#2880) 
* [New Rule] Expired or Revoked Driver Loaded

* Update privilege_escalation_expired_driver_loaded.toml

* Update rules_building_block/privilege_escalation_expired_driver_loaded.toml

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>

---------

Co-authored-by: eric-forte-elastic <119343520+eric-forte-elastic@users.noreply.github.com>
 2023-06-27 09:18:35 -03:00
eric-forte-elastic 6449cecd08 [FR] Add support for building block rules (BBR) (#2822) 
* added test bbr

* initial implementation

* Added Unit test and exempted bbr from integrations

* fixed linting

* Add schema validation to building block rules

* add separate error messages

* fixed linting

* Add testing bbr validation

* fixed linting

* Add default values

* fixed linting

* added defaults

* fixed linting

* cleaned up test rule

* removed .gitkeep

* read .gitkeep

* Switch to using validates_schema

* addressing some linting

* fixed linting

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* add env variable check

* fix skip function

* updated name

* Update detection_rules/schemas/definitions.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Add bbr validation unit test

* Clean up comments

* fix linting

* Move convert time to utils

* Moved to rules_building_block

* Add check for only bbr in bbr dir

* fix linting

* additional linting fix

* Changed to bbr rule loader

* fixed bbr default

* Updated error messages and README

* fixed more linting

* Updating root level README

* Fixed convert_time_span calls

* fixed typo in unit test logic and updated txt

* fixed error message

* updated comment for clarity

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Updated validation methods for clarity

* fix doctring location

* Fixed typo

* updated error messages.

* removed excess whitespace

* Add per rule bypass

* Add single rule bypass

* Split unit tests

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-20 09:00:30 -04:00