sigma-rules

Author	SHA1	Message	Date
brokensound77	ec4c9e77a2	Update revoked technique	2021-01-28 11:03:17 -09:00
brokensound77	bf32dec5a4	Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main # Conflicts: # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml	2021-01-28 10:41:39 -09:00
Samirbous	1d77932434	[New Rule] Suspicious MacOS MS Office Child Process (#779 ) * [New Rule] Suspicious MacOS MS Office Child Process * extra bin and ref * Update execution_suspicious_mac_ms_office_child_process.toml * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:55:31 +01:00
Samirbous	c18c5a493a	[New Rule] Dumping of Keychain Content via Security Command (#785 ) * [New Rule] Dumping of Keychain Content via Security Command * converted to eql * added sub-technique * 2021 * Update rules/macos/credential_access_dumping_keychain_security.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:50:41 +01:00
Samirbous	3fc4aaec0f	[New Rule] Modification of OpenSSH Binaries (#747 ) * [New Rule] Modification of SSH Binaries * Update persistence_credential_access_modify_ssh_binaries.toml * exclude unrelated auditbeat FP events * updated TIDs and Tactics * fix order of TIDs and Tactics * relinted * added libkeyutils.so used by Ebury Backdoor loaded by all OpenSSH processes * renamed * conv to kql and added one FP * Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:46:30 +01:00
Brent Murphy	d0ceb8cc4e	[New Rule] SIP Provider Modification (#891 ) * Create defense_evasion_sip_provider_mod.toml * add reference	2021-01-28 09:18:19 -05:00
Samirbous	485c6214fa	[New Rule] Environment Variable Modification using Launchctl (#865 ) * [New Rule] Environment Variable Modification using Launchctl * excluding some FPs * Update defense_evasion_modify_environment_launchctl.toml * Update defense_evasion_modify_environment_launchctl.toml * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-01-26 21:41:30 +01:00
Samirbous	6029783721	[New Rule] Security Software Discovery using Grep (#743 ) * [New Rule] Security Software Discovery using Grep * fixed index * Update discovery_security_software_grep.toml * Update discovery_security_software_grep.toml * conv to kql and added few AVs * added more AV procs * Update rules/macos/discovery_security_software_grep.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * moved to cross-platform * Update discovery_security_software_grep.toml * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 19:57:26 +01:00
Samirbous	b4cb953aa4	[New Rule] Script Execution via Automator Workflows (#763 ) * [New Rule] Script Execution via Automator Workflows * Update execution_script_via_automator_workflows.toml * Update rules/macos/execution_script_via_automator_workflows.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/macos/execution_script_via_automator_workflows.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-26 09:07:39 +01:00
Samirbous	5d9c031c8b	[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775 ) * [New Rule] TCC Bypass via Mounted APFS Snapshot Access * Update defense_evasion_tcc_bypass_mounted_apfs_access.toml * conv to kql * Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-26 08:50:28 +01:00
Samirbous	ebf365693e	[Rule Tuning] Deletion of Bash Command Line History (#752 ) * [Rule Tuning] Deletion of Bash Command Line History * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-01-26 08:48:06 +01:00
Samirbous	440a7fbdee	[New Rule] SSH Authorized Keys File Modification (#754 ) * [New Rule] SSH Authorized Keys File Modification * excluded some noisy procs * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update persistence_ssh_authorized_keys_modification.toml * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 08:45:38 +01:00
Samirbous	dc53fc1f04	[New Rule] Persistence via Docker Shortcut Modification (#733 ) * [New Rule] Persistence via Docker Shortcut Modification * ref url decoded * added exclusions * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * exclude some noisy procs and conv to kql Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:38:38 +01:00
Samirbous	6883ea0aa6	[New Rule] Potential Persistence via Login Hook (#900 ) * [New Rule] Potential Persistence via Login Hook * Update persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 08:35:16 +01:00
Samirbous	dd2f655367	[New Rule] Potential Cookies Theft via Browser Debugging (#741 ) * [New Rule] Potential Cookies Theft via Browser Debugging * Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added auditbeat * fixed error * excluded a common FP * added MSEdge Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:21:45 +01:00
Samirbous	1ae769a563	[New Rule] Creation of a Hidden Local User Account (#738 ) * [New Rule] Hidden User Local Account Creation * renamed rule Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:15:50 +01:00
Brent Murphy	7fdb6b2e80	Create persistence_time_provider_mod.toml (#890 )	2021-01-25 14:42:56 -05:00
Brent Murphy	ecbb57814a	Create credential_access_saved_creds_vaultcmd.toml (#884 )	2021-01-25 14:25:35 -05:00
Brent Murphy	4639df022b	[New Rule] Modification of WDigest Security Provider (#883 ) * Create credential_access_mod_wdigest_security_provider.toml * syntax tweaks	2021-01-25 13:54:36 -05:00
Brent Murphy	8c123785f0	[New Rule] Enumeration Command Spawned via WMIPrvSE (#882 ) * Create execution_enumeration_via_wmiprvse.toml * alignment	2021-01-25 13:46:26 -05:00
Brent Murphy	01c3c718f5	[New Rule] Executable File Creation with Multiple Extensions (#881 ) * Create defense_evasion_file_creation_mult_extension.toml * spacing * Update rules/windows/defense_evasion_file_creation_mult_extension.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * update query * alignment Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2021-01-25 13:40:25 -05:00
Brent Murphy	aa409111b8	[New Rule] Azure Active Directory High Risk Sign-in (#790 ) * [New Rule] Azure Active Directory High Risk Sign-in * Update initial_access_azure_active_directory_high_risk_signin.toml	2021-01-25 13:27:06 -05:00
Anabella Cristaldi	fb92c69797	[New Rule] Clearing Windows Security Logs (#529 ) * [New Rule] Clearing Windows Security Logs * Fix Date Format Error * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Add Elastic tag Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update maturity * Add Elastic to list of authors Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-11 17:17:20 -07:00
Ross Wolf	a0ae05c78e	Fix spelling of Continuous Monitoring (#795 ) * Fix spelling of Continuous Monitoring * Update the updated_at date * Happy new year	2021-01-04 15:05:34 -07:00
Justin Ibarra	c1a0438f45	[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) * replaced/removed all revoked/deprecated techniques * tests will fail on revoked (changed) techniques * tests will fail on deprecated techniques * tests will fail when techniques are mapped to an invalid tactic	2020-12-18 12:46:16 -09:00
Brent Murphy	627610401c	[Rule Tuning] Update rules for new Fleet integrations (#729 ) * update azure indicies * remove . in index to match prior cloud rules * update o365 indicies * add event.dataset:google_workspace.admin to existing google workspace rules * gcp syntax * add gcp index * update gcp index * update index patterns for google workspace rules * update gcp index2 * update updated_date * update event outcome for azure Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-18 12:23:12 -05:00
Andrew Pease	889828d473	[New Rule] SUNBURST Command and Control Activity Detected (#723 ) * bump package version to 7.12 * Auth to Kibana connector using an existing cookie (#711) * initial commit * simplified by any method not to solarwinds.com * Updates from review * updated desc and note * query readability * update to optimize query to pass unit tests * optimized * optimized * Update command_and_control_sunburst_c2_activity_detected.toml * Restore package version * updated rule after rebase * re-lint Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <bmurphy@endgame.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-15 14:41:54 -06:00
Samirbous	79a5ca9b78	[New Rule] APT Solarwinds Backdoor Behavior - 5 rules (#722 ) * bump package version to 7.12 * Auth to Kibana connector using an existing cookie (#711) * [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules * ruleID * fixed process names to include both 32 and 64bits * fixed process names to include both 32 and 64 bits * deleted unnecessary condition * adjusted rule to cover cmd and ps * renamed rule and fixed tactic * added rule to SW package - Exporting MailBox with Powershell * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added details to FP tag as sug by JLB * added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted * adjusted desc and FPs * adjusted alert name as sug by DevK * Update collection_email_powershell_exchange_mailbox.toml * Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updated registry to include symlink * Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added T1195 as sug by JLB * added T1195 as sug by JLB * added T1195 as sug by JLB * added pwsh as sug by Dan * added pwsh as sug by Dan * [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725) * [New Rule] Outbound Scheduled Tasks Activity via PowerShell * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * fixed - added pwsh to seq_netblock * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Restore packages file Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-12-15 21:33:00 +01:00
Samirbous	3042cbb5d6	[New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725 ) * [New Rule] Outbound Scheduled Tasks Activity via PowerShell * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * fixed - added pwsh to seq_netblock * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-15 13:20:28 -07:00
Brent Murphy	c5cae5c437	[New Rule] Azure Active Directory PowerShell Sign-in (#718 ) * Create initial_access_azure_active_directory_powershell_signon.toml * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update initial_access_azure_active_directory_powershell_signin.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-15 11:52:43 -05:00
Brent Murphy	6b31b96bf8	[New Rule] Azure Service Principal Addition (#717 ) * Create defense_evasion_azure_service_principal_addition.toml * Update defense_evasion_azure_service_principal_addition.toml * Update rules/azure/defense_evasion_azure_service_principal_addition.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/azure/defense_evasion_azure_service_principal_addition.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-15 11:47:23 -05:00
Brent Murphy	84ab3db48c	[New Rule] Azure Application Credential Modification (#716 ) * Create defense_evasion_azure_application_credential_modification.toml * Update rules/azure/defense_evasion_azure_application_credential_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-15 11:41:26 -05:00
Justin Ibarra	a6463b435c	[Rule Tuning] Replace line comments with block comments (#710 )	2020-12-12 17:11:17 -09:00
Andrew Pease	a5cd35f498	AdFind Command Activity (#395 ) * initial commit * added sub-techniques * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml * Update rules/windows/discovery_adfind_command_activity.toml * update threat mapping with sub-techniques * update technique url * remove ecs_version * convert rule to eql * added sub-techniques * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-09 15:01:28 -06:00
Andrew Pease	66506139d9	[New Rule] Detects Mimikatz via Invoke-Mimikatz (#700 ) * initial commit * lint * note updates * convert to eql and moved to dev * convert to eql and moved to dev	2020-12-09 14:51:45 -06:00
Andrew Pease	17cf79d076	[New Rule] Default Cobalt Strike Team Server Certificate (#358 ) * initial commit * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updated to include sub-techniques Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-09 14:49:31 -06:00
Samirbous	d5eaf5db53	[New Rule] High Number of Process and/or Services Termination (#672 ) * [New Rule] High Number of Process and/or Services Termination * removed url and fixed ruleid * fixed tags * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-09 09:00:19 +01:00
Samirbous	14fe63bb1e	[Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process (#676 ) * [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process * replaced path with name for faster comparaison * added few more cases and refurl also organized items per anomaly category * added extra refurl plus few excep * Update execution_suspicious_ms_office_child_process.toml * added parenthesis * excluded an FP	2020-12-09 08:55:58 +01:00
Justin Ibarra	e272800a5d	Add ATT&CK sub-technique support to CLI (#614 ) * Add Mitre sub-technique support to CLI * Add subtechnique enum to schema * Add test to prevent duplicative tactics in mapping	2020-12-08 21:56:55 -09:00
David French	b8d2f6fc96	[Rule Tuning] Possible Consent Grant Attack via Azure-Registered Application (#575 ) * Update initial_access_consent_grant_attack_via_azure_registered_application.toml * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 17:20:30 -07:00
Justin Ibarra	24828ea9cb	[New Rule] Conversions of some APT-29 Endgame rules (#702 ) Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 14:13:34 -09:00
Brent Murphy	598e807a5c	[New Rule] Microsoft 365 Teams Custom Application Interaction Allowed (#657 ) * [New Rule] O365 Teams Custom Application Interaction Allowed * rebrand to m365, still needed non ecs schema * Update non-ecs-schema.json	2020-12-08 17:36:47 -05:00
Brent Murphy	73e2690ec0	[New Rule] Potential Password Spraying of Microsoft 365 User Accounts (#665 ) * [New Rule] Potential Password Spraying of O365 User Accounts * Update credential_access_o365_potential_password_spraying_attack.toml * rebrand to m365 Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 17:19:39 -05:00
Brent Murphy	d74b41c1a0	[New Rule] Microsoft 365 Teams External Access Enabled (#661 ) * [New Rule] O365 Teams External Access Enabled * rebrand to m365, still needed non ecs schema * update description * remove non ecs change	2020-12-08 16:48:15 -05:00
Brent Murphy	6bfe5d3dd8	[New Rule] Microsoft 365 Teams Guest Access Enabled (#601 ) * [New Rule] O365 Teams Guest Access Enabled * rebrand to m365, still needed non ecs schema * remove non ecs schma change	2020-12-08 16:44:15 -05:00
Brent Murphy	6a296c64c5	[New Rule] Microsoft 365 Exchange DKIM Signing Configuration Disabled (#578 ) * [New Rule] O365 Exchange DKIM Signing Configuration Disabled * rebrand to m365 * still req non ecs schema * Remove the ECS override * Update _flatten_schema logic * Allow fields with * in the path * Allow explicit fields to overwrite implicit * fields Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-12-08 16:38:00 -05:00
Samirbous	94e8fa80bb	[Rule Tuning] Suspicious Endpoint Security Parent Process (#509 ) * [Rule Tuning] added FPs and converted to EQL for more flexibilty * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * adjusted process names in scope to security agents * eql syntax * ecs_version * adjusted format * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 22:34:28 +01:00
Samirbous	538aa80bba	[New Rule] Process Termination Followed by Deletion (#482 ) * [New Rule] Process Termination Followed by Deletion * excluded SoftwareDistrib and WinSxS Folders * added drive letter for better performance * excluded signed PE * eql syntax * ecs_version * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * added few more extension as suggested by DanStep * dropped winlogbeat due to pe.codesign Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 22:26:11 +01:00
Samirbous	97fa6c62cd	[New Rule] Remote File Download via Powershell (#660 ) * [New Rule] Remote File Download via Powershell * new line * eql syntax * ecs_version * added google related FPs * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com> * relint * ecs_version removed * replaced path with name to avoid FPs for users temp folder Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>	2020-12-08 21:28:28 +01:00
Samirbous	9792d967d7	[Rule Tuning] Convert to EQL 5 existing rules (#414 ) * [Rule Tuning] 5 rules * [Rule Tuning] Converted two IIS CredAccess rules to EQL * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/evasion_rundll32_no_arguments.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * deleted. rule looks incompatible with endpoint * fixing units testing error * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * desc * fixed tags duplicate * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update defense_evasion_rundll32_no_arguments.toml * adjusted process args count to 1 adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs). Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 21:07:26 +01:00

1 2 3 4 5 ...

340 Commits