06d352d59e
Merge pull request #924 from brokensound77/mergeback/7.11-to-main
...
Mergeback 7.11 to main
2021-01-28 11:46:37 -09:00
ec4c9e77a2
Update revoked technique
2021-01-28 11:03:17 -09:00
bf32dec5a4
Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main
...
# Conflicts:
# rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
2021-01-28 10:41:39 -09:00
288dbd7a84
lock versions file for 7.11
2021-01-28 10:36:46 -09:00
1d77932434
[New Rule] Suspicious MacOS MS Office Child Process ( #779 )
...
* [New Rule] Suspicious MacOS MS Office Child Process
* extra bin and ref
* Update execution_suspicious_mac_ms_office_child_process.toml
* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-28 19:55:31 +01:00
c18c5a493a
[New Rule] Dumping of Keychain Content via Security Command ( #785 )
...
* [New Rule] Dumping of Keychain Content via Security Command
* converted to eql
* added sub-technique
* 2021
* Update rules/macos/credential_access_dumping_keychain_security.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-28 19:50:41 +01:00
3fc4aaec0f
[New Rule] Modification of OpenSSH Binaries ( #747 )
...
* [New Rule] Modification of SSH Binaries
* Update persistence_credential_access_modify_ssh_binaries.toml
* exclude unrelated auditbeat FP events
* updated TIDs and Tactics
* fix order of TIDs and Tactics
* relinted
* added libkeyutils.so used by Ebury Backdoor
loaded by all OpenSSH processes
* renamed
* conv to kql and added one FP
* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-28 19:46:30 +01:00
d0ceb8cc4e
[New Rule] SIP Provider Modification ( #891 )
...
* Create defense_evasion_sip_provider_mod.toml
* add reference
2021-01-28 09:18:19 -05:00
485c6214fa
[New Rule] Environment Variable Modification using Launchctl ( #865 )
...
* [New Rule] Environment Variable Modification using Launchctl
* excluding some FPs
* Update defense_evasion_modify_environment_launchctl.toml
* Update defense_evasion_modify_environment_launchctl.toml
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/macos/defense_evasion_modify_environment_launchctl.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2021-01-26 21:41:30 +01:00
6029783721
[New Rule] Security Software Discovery using Grep ( #743 )
...
* [New Rule] Security Software Discovery using Grep
* fixed index
* Update discovery_security_software_grep.toml
* Update discovery_security_software_grep.toml
* conv to kql and added few AVs
* added more AV procs
* Update rules/macos/discovery_security_software_grep.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* moved to cross-platform
* Update discovery_security_software_grep.toml
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-26 19:57:26 +01:00
b4cb953aa4
[New Rule] Script Execution via Automator Workflows ( #763 )
...
* [New Rule] Script Execution via Automator Workflows
* Update execution_script_via_automator_workflows.toml
* Update rules/macos/execution_script_via_automator_workflows.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/macos/execution_script_via_automator_workflows.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-01-26 09:07:39 +01:00
5d9c031c8b
[New Rule] TCC Bypass via Mounted APFS Snapshot Access ( #775 )
...
* [New Rule] TCC Bypass via Mounted APFS Snapshot Access
* Update defense_evasion_tcc_bypass_mounted_apfs_access.toml
* conv to kql
* Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-01-26 08:50:28 +01:00
ebf365693e
[Rule Tuning] Deletion of Bash Command Line History ( #752 )
...
* [Rule Tuning] Deletion of Bash Command Line History
* Update defense_evasion_deletion_of_bash_command_line_history.toml
* Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2021-01-26 08:48:06 +01:00
440a7fbdee
[New Rule] SSH Authorized Keys File Modification ( #754 )
...
* [New Rule] SSH Authorized Keys File Modification
* excluded some noisy procs
* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update persistence_ssh_authorized_keys_modification.toml
* Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-26 08:45:38 +01:00
dc53fc1f04
[New Rule] Persistence via Docker Shortcut Modification ( #733 )
...
* [New Rule] Persistence via Docker Shortcut Modification
* ref url decoded
* added exclusions
* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/persistence_docker_shortcuts_plist_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* exclude some noisy procs and conv to kql
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-01-26 08:38:38 +01:00
6883ea0aa6
[New Rule] Potential Persistence via Login Hook ( #900 )
...
* [New Rule] Potential Persistence via Login Hook
* Update persistence_loginwindow_plist_modification.toml
* Update rules/macos/persistence_loginwindow_plist_modification.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/macos/persistence_loginwindow_plist_modification.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/macos/persistence_loginwindow_plist_modification.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/macos/persistence_loginwindow_plist_modification.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update persistence_loginwindow_plist_modification.toml
* Update rules/macos/persistence_loginwindow_plist_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-26 08:35:16 +01:00
dd2f655367
[New Rule] Potential Cookies Theft via Browser Debugging ( #741 )
...
* [New Rule] Potential Cookies Theft via Browser Debugging
* Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added auditbeat
* fixed error
* excluded a common FP
* added MSEdge
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-01-26 08:21:45 +01:00
1ae769a563
[New Rule] Creation of a Hidden Local User Account ( #738 )
...
* [New Rule] Hidden User Local Account Creation
* renamed rule
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-01-26 08:15:50 +01:00
7fdb6b2e80
Create persistence_time_provider_mod.toml ( #890 )
2021-01-25 14:42:56 -05:00
ecbb57814a
Create credential_access_saved_creds_vaultcmd.toml ( #884 )
2021-01-25 14:25:35 -05:00
4639df022b
[New Rule] Modification of WDigest Security Provider ( #883 )
...
* Create credential_access_mod_wdigest_security_provider.toml
* syntax tweaks
2021-01-25 13:54:36 -05:00
8c123785f0
[New Rule] Enumeration Command Spawned via WMIPrvSE ( #882 )
...
* Create execution_enumeration_via_wmiprvse.toml
* alignment
2021-01-25 13:46:26 -05:00
01c3c718f5
[New Rule] Executable File Creation with Multiple Extensions ( #881 )
...
* Create defense_evasion_file_creation_mult_extension.toml
* spacing
* Update rules/windows/defense_evasion_file_creation_mult_extension.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* update query
* alignment
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-01-25 13:40:25 -05:00
aa409111b8
[New Rule] Azure Active Directory High Risk Sign-in ( #790 )
...
* [New Rule] Azure Active Directory High Risk Sign-in
* Update initial_access_azure_active_directory_high_risk_signin.toml
2021-01-25 13:27:06 -05:00
1708ea3252
Loosen query DSL filter schema validation ( #895 )
2021-01-20 12:21:46 -07:00
fb92c69797
[New Rule] Clearing Windows Security Logs ( #529 )
...
* [New Rule] Clearing Windows Security Logs
* Fix Date Format Error
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Add Elastic tag
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update maturity
* Add Elastic to list of authors
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* bump updated_date
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-01-11 17:17:20 -07:00
6177458bd8
Add empty technique array to rules ( #828 )
...
* [Rule Tuning] Add empty arrays in place of tactic only threat mappings
* dynamically insert empty technique array in payload
* use replace_id as function parameter
2021-01-11 08:58:18 -09:00
5bbe43144d
Fix default branch name for GitHub Actions
2021-01-05 20:05:37 -07:00
a0ae05c78e
Fix spelling of Continuous Monitoring ( #795 )
...
* Fix spelling of Continuous Monitoring
* Update the updated_at date
* Happy new year
2021-01-04 15:05:34 -07:00
67413cee47
Update ML-DGA docs ( #750 )
2020-12-21 16:25:24 -09:00
992eabd6dc
update incomplete bug fix from 736 for 7.11 -> 7.10 downgrade logic
2020-12-18 22:04:19 -09:00
5561738f28
update incomplete bug fix from 736 for 7.11 -> 7.10 downgrade logic
2020-12-18 22:01:06 -09:00
425e0ddf64
Add flattened subtechniques to rule-search ( #739 )
2020-12-18 14:21:37 -09:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
627610401c
[Rule Tuning] Update rules for new Fleet integrations ( #729 )
...
* update azure indicies
* remove . in index to match prior cloud rules
* update o365 indicies
* add event.dataset:google_workspace.admin to existing google workspace rules
* gcp syntax
* add gcp index
* update gcp index
* update index patterns for google workspace rules
* update gcp index2
* update updated_date
* update event outcome for azure
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-18 12:23:12 -05:00
783332642d
Merge branch '7.11' into main
2020-12-18 09:28:30 -07:00
7dcb666d81
Fix 7.11 -> 7.10 ATT&CK downgrade logic for optional techiques ( #736 )
2020-12-18 09:28:05 -07:00
331d321648
Make threat.technique optional ( #727 )
2020-12-17 20:22:59 -09:00
39ab9f14e1
strip trailing slash from kibana_url only if defined
2020-12-16 13:00:20 -09:00
ff76571366
strip trailing slash in kibana_url only when defined
2020-12-16 12:59:30 -09:00
86fe2d6279
Restore PR jobs
2020-12-16 08:12:21 -07:00
97f9f864d1
Remove duplicate PR job ( #728 )
2020-12-15 13:59:14 -07:00
889828d473
[New Rule] SUNBURST Command and Control Activity Detected ( #723 )
...
* bump package version to 7.12
* Auth to Kibana connector using an existing cookie (#711 )
* initial commit
* simplified by any method not to solarwinds.com
* Updates from review
* updated desc and note
* query readability
* update to optimize query to pass unit tests
* optimized
* optimized
* Update command_and_control_sunburst_c2_activity_detected.toml
* Restore package version
* updated rule after rebase
* re-lint
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-15 14:41:54 -06:00
79a5ca9b78
[New Rule] APT Solarwinds Backdoor Behavior - 5 rules ( #722 )
...
* bump package version to 7.12
* Auth to Kibana connector using an existing cookie (#711 )
* [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules
* ruleID
* fixed process names to include both 32 and 64bits
* fixed process names to include both 32 and 64 bits
* deleted unnecessary condition
* adjusted rule to cover cmd and ps
* renamed rule and fixed tactic
* added rule to SW package - Exporting MailBox with Powershell
* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added details to FP tag as sug by JLB
* added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg
* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* relinted
* adjusted desc and FPs
* adjusted alert name as sug by DevK
* Update collection_email_powershell_exchange_mailbox.toml
* Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update rules/windows/collection_email_powershell_exchange_mailbox.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/collection_email_powershell_exchange_mailbox.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* updated registry to include symlink
* Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* added T1195 as sug by JLB
* added T1195 as sug by JLB
* added T1195 as sug by JLB
* added pwsh as sug by Dan
* added pwsh as sug by Dan
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725 )
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* fixed - added pwsh to seq_netblock
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* Update rules/windows/collection_email_powershell_exchange_mailbox.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Restore packages file
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-12-15 21:33:00 +01:00
b6aa6c6548
Auth to Kibana connector using an existing cookie ( #711 )
2020-12-15 13:20:46 -07:00
3042cbb5d6
[New Rule] Outbound Scheduled Tasks Activity via PowerShell ( #725 )
...
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* fixed - added pwsh to seq_netblock
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-15 13:20:28 -07:00
5244151b2e
[New Rule] Outbound Scheduled Tasks Activity via PowerShell ( #725 )
...
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* fixed - added pwsh to seq_netblock
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-15 19:10:52 +01:00
c5cae5c437
[New Rule] Azure Active Directory PowerShell Sign-in ( #718 )
...
* Create initial_access_azure_active_directory_powershell_signon.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update initial_access_azure_active_directory_powershell_signin.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-15 11:52:43 -05:00
6b31b96bf8
[New Rule] Azure Service Principal Addition ( #717 )
...
* Create defense_evasion_azure_service_principal_addition.toml
* Update defense_evasion_azure_service_principal_addition.toml
* Update rules/azure/defense_evasion_azure_service_principal_addition.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/defense_evasion_azure_service_principal_addition.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* lint
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-15 11:47:23 -05:00
84ab3db48c
[New Rule] Azure Application Credential Modification ( #716 )
...
* Create defense_evasion_azure_application_credential_modification.toml
* Update rules/azure/defense_evasion_azure_application_credential_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-15 11:41:26 -05:00
Justin Ibarra