security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
880 Commits 1 Branch 0 Tags
101b781beffbf8ecd87bcffeba471a511fd5c9f2
Commit Graph

652 Commits

Author SHA1 Message Date
Trevor Miller 101b781bef [Rule Tuning] O365 Excessive Single Sign-On Logon Errors (#1680) 
* Change event.category to authentication

The original had the event.category as "web" the correct value is "authentication"

* Changed updated_date to todays date

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2022-01-20 08:32:30 -03:00
Jonhnathan 865771886e [New Rule] Scheduled Task Execution at Scale via GPO (#1605) 
* "Scheduled Task Execution at Scale via GPO" Initial Rule
* Update non-ecs-schema.json
 2022-01-19 16:06:48 -09:00
Jonhnathan 7bbeaf3053 [New Rule] PowerShell PSReflect Script (#1558) 2022-01-19 15:31:08 -09:00
Samirbous 6a0164cbd3 [Rule Tuning] Connection to Commonly Abused Web Services (#1708) 
Added Discord domains often abused to stage malicious files.
 2022-01-17 14:52:26 -03:00
Austin Songer fd824d1fd5 [New Rule] Microsoft Defender Tampering (#1575) 
* Create defense_evasion_microsoft_defender_tampering.toml

* Update defense_evasion_microsoft_defender_tampering.toml

* Update defense_evasion_microsoft_defender_tampering.toml

* Update defense_evasion_microsoft_defender_tampering.toml

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_microsoft_defender_tampering.toml

* Update defense_evasion_microsoft_defender_tampering.toml

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_microsoft_defender_tampering.toml

* Update defense_evasion_microsoft_defender_tampering.toml

* Update defense_evasion_microsoft_defender_tampering.toml

* Update defense_evasion_microsoft_defender_tampering.toml

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_microsoft_defender_tampering.toml

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-01-13 19:50:01 -03:00
Jonhnathan af354dc7e8 [New Rule] Mailbox Audit Logging Bypass (#1702) 
* "Mailbox Audit Logging Bypass" Initial Rule

* Add reference

* Update rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-01-13 17:33:08 -03:00
Jonhnathan cbf0798646 [Rule Tuning] Change Rules to use Source.ip instead of source.address (#1704) 
* Replace source.address to source.ip for compatibility

* Change query

* Missing and condition
 2022-01-13 16:40:10 -03:00
Austin Songer 25327134a6 [New Rule] Shadowcopy via Symlink (#1675) 
* Create credential_access_shadowcopy_via_symlink.toml

* Update credential_access_shadowcopy_via_symlink.toml

* Update and rename credential_access_shadowcopy_via_symlink.toml to credential_access_shadowcopy_via_mklink.toml

* Update credential_access_shadowcopy_via_mklink.toml

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_shadowcopy_via_mklink.toml

* Rename credential_access_shadowcopy_via_mklink.toml to credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml

* Update credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-01-12 07:52:37 -03:00
Jonhnathan 899642dd78 [New Rule] PowerShell Suspicious Script with Screenshot Capabilities (#1581) 
* Create collection_posh_screen_grabber.toml

* Update collection_posh_screen_grabber.toml

* Update collection_posh_screen_grabber.toml

* Update collection_posh_screen_grabber.toml

* Update rules/windows/collection_posh_screen_grabber.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update query condition

* lint

* Update execution_python_tty_shell.toml

* Revert "Update execution_python_tty_shell.toml"

This reverts commit d2d72ea5726415caca8786d59446b6dd60dcee54.

* Update collection_posh_screen_grabber.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-14 19:30:45 -03:00
Jonhnathan f2a28e49fb [New Rules] PowerShell Suspicious Payload Encoded and Compressed (#1580) 
* Create defense_evasion_posh_compressed.toml

* Update defense_evasion_posh_compressed.toml

* Add GzipStream, cover common variations withou using wildcard

* Update defense_evasion_posh_compressed.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add false_positives

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-14 19:25:11 -03:00
Jonhnathan 9cc342dab7 [Rule Tuning] Bump max_signals on Endgame Promotion Rules (#1662) 
* bump endgame max_signals to 10000

* bump updated_date
 2021-12-14 11:52:12 -03:00
Justin Ibarra 9a60d7a26a [Rule tuning] fix name for GCP Kubernetes Rolebindings Created or Patched (#1661) 2021-12-13 08:59:56 -09:00
Samirbous 410d4e5929 [Rule Tuning] Suspicious JAR Child Process (#1657) 
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
 2021-12-10 16:04:35 -09:00
Jonhnathan d4e06beee6 [New Rule] PowerShell Reflection Assembly Load (#1559) 
* Create defense_evasion_posh_assembly_load.toml

* Update defense_evasion_posh_assembly_load.toml

* Update rules/windows/defense_evasion_posh_assembly_load.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Change event.code to event.category

* Update rules/windows/defense_evasion_posh_assembly_load.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 17:59:17 -03:00
Jonhnathan ee548328d5 [Rule Tuning] Powershell Defender Exclusion (#1644) 
* Split process.args condition

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:51:32 -03:00
Samirbous b85818f49c [New Rule] Enumeration of Privileged Local Groups Membership (#1557) 
* [New Rule] Enumeration of Privileged Local Groups Membership

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml

* removed endpoint index (not needed)

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:23:42 +01:00
Samirbous 434e2d0426 [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation (#1544) 
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_via_rogue_named_pipe.toml

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:21:04 +01:00
Samirbous e3b76b7cf7 [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632) 
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot

Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).

* adding extra ref url
 2021-12-08 11:16:14 +01:00
Jonhnathan 851c566730 [Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620) 
* Replaces event.code with event.category

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-07 21:32:39 -09:00
Jonhnathan b7b5449033 Add issue to min_stack_comment (#1652) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-07 15:52:38 -09:00
Justin Ibarra 14c46f50b9 [Rule Tuning] updates from documentation review for 7.16 (#1645) 2021-12-07 15:42:58 -09:00
Jonhnathan c21337fe4f Add min_stack and indexes back (#1648) 2021-12-07 10:00:58 -03:00
Jonhnathan 7b0383ffe2 [Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651) 
* Update command_and_control_download_rar_powershell_from_internet.toml

* bump updated_date
 2021-12-07 09:09:03 -03:00
Jonhnathan f6a2437cf8 Limit index to logs-endpoint.events (#1647) 2021-12-06 13:45:12 -03:00
Samirbous d43e3d8e4e [New Rule] Suspicious Process Creation CallTrace (#1588) 
* [New Rule] Suspicious Process Creation CallTrace

* Update non-ecs-schema.json

* added min stack vers

* min_stack_vers not needed

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-30 21:35:43 +01:00
Khristinin Nikita c619844b0d [Rule Tuning] Support ECS 1.11 field for IM rule (#1560) 
* Support ecs field for IM rule

* update time interval

* Change additional lookback to 5 minutes

* Add old rule

* Add newline

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Remove im legacy rule

* Udpdate name and description

* Remove min_stack_comment

* Keep 2 IM rule

* add min_stack_comments to rule

* Update rules/cross-platform/threat_intel_indicator_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adds new rules

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ece Özalp <ozale272@newschool.edu>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>
 2021-11-30 12:25:42 -06:00
Austin Songer 521f0987ae [New Rule] Azure Kubernetes Rolebindings Created (#1576) 
* Create azure_kubernetes_rolebinding_created_or_deleted.toml

* Update

* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-29 09:16:00 -03:00
Austin Songer 13fc69b70a [New Rule] Clearing Windows Console History (#1623) 
* Create defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* bump severity

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-25 13:25:21 -03:00
Austin Songer 2ac19440c2 [New Rule] Windows Firewall Disabled (#1565) 
* Create defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-24 18:34:12 -03:00
LaZyDK dd3e924e4a [Rule Tuning] Component Object Model Hijacking (#1491) 
* Update persistence_suspicious_com_hijack_registry.toml

Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.

* Update updated_date

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-24 08:57:43 -03:00
Samirbous d1636258e4 [New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569) 
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL

* update dates

* adding config note

* relinted

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update minstack version

* minstack not needed, rule should work on previous versions

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-18 10:27:42 +01:00
Samirbous 53a17e6b06 [New Rule] Account Password Reset Remotely (#1571) 
* [New Rule] Account Password Reset Remotely

* Update non-ecs-schema.json

* udpate ruleId

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-18 10:25:50 +01:00
Austin Songer 3dd32608a0 [New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579) 
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 19:38:12 -03:00
Jonhnathan 4b6794df32 [New Rule] PowerShell Keylogging Script (#1561) 
* Create collection_posh_keylogger.toml

* Apply suggestions from Samir

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix missing OR

* Change dup guid

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 19:36:40 -03:00
Austin Songer ab521f7c4f [Rule Tuning] Suspicious CertUtil Commands (#1564) 2021-11-17 11:41:07 -09:00
Jonhnathan 9c54e21820 [New Rule] Potential Process Injection via PowerShell (#1552) 
* Create defense_evasion_posh_process_injection.toml

* Update defense_evasion_posh_process_injection.toml

* Update description

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 07:33:13 -03:00
Samirbous e99478db00 [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) 
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

* lint

* Update etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* moved FP txt to Note.

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update etc/non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* fix json

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 08:45:38 +01:00
Samirbous c18c08a976 [New Rule] Potential Credential Access via LSASS Memory Dump (#1533) 
* [New Rule] Potential Credential Access via LSASS Memory Dump

* Update credential_access_suspicious_lsass_access_memdump.toml

* fix typo in calltrace and event.code type

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_suspicious_lsass_access_memdump.toml

* added TargetImage to non ecs schema

* Update non-ecs-schema.json

* format

* Update credential_access_suspicious_lsass_access_memdump.toml

* Update credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-17 08:36:26 +01:00
Jonhnathan 858d1cf12c [New Rule] PowerShell Suspicious Script with Audio Capture Capabilities (#1582) 2021-11-15 21:19:38 -09:00
Samirbous 81a62f5f68 [New Rule] Suspicious Process Access via Direct System Call (#1536) 
* [New Rule] Suspicious Process Access via Direct System Call

* updated query to catch also CallTrace with non ntdll modules

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-11-15 10:18:26 +01:00
Jonhnathan 017d9a51b7 [Rule Tuning] Rename extrac.exe to extrac32.exe (#1601) 2021-11-14 17:01:13 -09:00
Adrian Serrano aa219710a1 Fix Windows path causing emoji to be rendered in Kibana (#1585) 
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.

Surrounding the path in backticks fixes it.
 2021-11-03 11:01:25 -05:00
Khristinin Nikita f47b0f61cc Change interval and lookback time for IM rule (#1596) 2021-11-01 09:27:38 +01:00
Justin Ibarra ff16832003 [Rule Tuning] Hosts File Modified - add process check for linux (#1593) 
* [Rule Tuning] Hosts File Modified - add process check for linux

* add echo and sed to process names in query
 2021-10-28 22:56:34 -05:00
Justin Ibarra c8cf88cd62 Refresh ECS (1.12.1) and beats (7.15.1) schemas (#1584) 
* Refresh ECS (1.12.1) and beats (7.15.1) schemas

* update ecs to 1.10 for 7.14 stack validation

* add note with reference url
 2021-10-28 11:24:28 -05:00
Justin Ibarra ab17dfcc28 [Bug] Tighten definitions validation patterns (#1396) 
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-10-26 10:26:20 -05:00
Austin Songer ef7548f04c [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) 
* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_webshell_detection.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_system_shells_via_services.toml

* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_system_shells_via_services.toml

* Update persistence_webshell_detection.toml

* Update rules/windows/persistence_local_scheduled_task_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 12:16:31 -03:00
Jonhnathan 239384497f [New Rule] PowerShell MiniDump Script (#1528) 
* PowerShell MiniDump Script Initial Rule

* Update credential_access_posh_minidump.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_posh_minidump.toml

* Update rules/windows/credential_access_posh_minidump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 12:09:16 -03:00
Jonhnathan 4524c175c8 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2021-10-26 12:05:12 -03:00
Austin Songer 89553d84a9 [New Rule] AWS Route Table Created (#1257) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_created.toml

* Update persistence_route_table_created.toml

* Update rules/persistence_route_table_created.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update persistence_route_table_created.toml

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_created.toml

* Update

* Update

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 10:25:53 -03:00