122ef41e1a
Update source.ip condition ( #1712 )
...
(cherry picked from commit 4ac824192f
2022-01-27 12:27:06 +00:00
7aa2839a83
[Rule Tuning] Fix event.outcome condition on O365 failed logon related rules ( #1687 )
...
* Tune rule query
* Update credential_access_microsoft_365_potential_password_spraying_attack.toml
* Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
* Revert "Update defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml"
This reverts commit 5a50aeeff6f1bb23bfeccdc6845e04eb7ccaea43.
(cherry picked from commit 0a23d820c9
2022-01-27 12:24:37 +00:00
ce21fe33bb
[Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created ( #1683 )
...
* Inbox Rule Tuning
* Add RedirectTo
* Update non-ecs-schema.json
(cherry picked from commit 50c7d5f262
2022-01-27 12:23:00 +00:00
660dc46327
[Rule Tuning] Azure Virtual Network Device Modified or Deleted ( #1679 )
...
* Update impact_virtual_network_device_modified.toml
* Change case
(cherry picked from commit fdeb8cb1de
2022-01-27 12:19:04 +00:00
b8c3ddc305
[New Rule] Potential Privilege Escalation via PKEXEC ( #1727 )
...
* [New Rule] Potential Privilege Escalation via PKEXEC
Identifies attempt to exploit a local privilege escalation in polkit pkexec (CVE-2021-4034) via unsecure environment variable injection. Successful exploitation allows an unprivileged user to escalate to the root user :
* Update privilege_escalation_pkexec_envar_hijack.toml
* removed = sign
(cherry picked from commit b9edc5464e
2022-01-27 09:43:35 +00:00
6a62632105
Revert "[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )" ( #1731 )
...
This reverts commit 625d1df2bf84d55c829d
2022-01-26 20:43:09 +00:00
07933449e6
MacOS FolderActionScripts Process List Update ( #1723 )
...
* update and expand process list
* fix query
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit b564fa13fb
2022-01-25 20:29:34 +00:00
8ef8442a39
MacOS Launch Daemon Creation Rule - Query Fix ( #1722 )
...
* launch daemon creation syntax fix
* change updated date
(cherry picked from commit cfd4d431dd
2022-01-25 18:50:02 +00:00
30e6cac5d1
[New Rule] Startup/Logon Script added to Group Policy Object ( #1607 )
...
* "Startup/Logon Script added to Group Policy Object" Initial Rule
* Change severity
* nest non-ecs schema and move logs-system to winlogbeat
* format query and remove quotes
* Update rules/windows/privilege_escalation_group_policy_iniscript.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add rule_ids and false_positives instance
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
(cherry picked from commit 95e3b87faf
2022-01-20 12:13:17 +00:00
216d39601a
[Rule Tuning] Add Investigation Guides, Config/Logging Policy to PowerShell merged rules ( #1610 )
...
* Add Investigation Guide and config to Suspicious Portable Executable Encoded in Powershell Script
* Add Investigation Guide and config to "PowerShell Suspicious Discovery Related Windows API Functions" rule
* Add Investigation Guide and Config to "PowerShell MiniDump Script" rule
* Add logging policy reference
* Add Investigation Guide/Config to "PowerShell Suspicious Script with Audio Capture Capabilities"
* Add Related Rules GUIDs
* Add Investigation Guide/config for "Potential Process Injection via PowerShell"
* Adjust Response and remediation
* Add Investigation Guide/config for "PowerShell Keylogging Script"
* bump updated_date
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions
* Revise line from investigation guides
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 49854aaae2
2022-01-20 11:58:49 +00:00
9f3fb94aad
[New Rule] Potential Priivilege Escalation via InstallerFileTakeOver ( #1629 )
...
* Create privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update privilege_escalation_installertakeover.toml
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/privilege_escalation_installertakeover.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update description and change OFN from : to ==
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 7fa0c0f719
2022-01-20 11:55:49 +00:00
6608f5b2d1
[Rule Tuning] Interactive Terminal Spawned via Python - Python3 and bypasses fix ( #1649 )
...
* Update execution_python_tty_shell.toml
* Update EQL query to sequence
* Remove auditbeat index
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 625d1df2bf
2022-01-20 11:52:20 +00:00
5ce04f8b27
[New Rule] Azure Suppression Rule Created ( #1666 )
...
* Create defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Update defense_evasion_virtual_network_device_modified.toml
* Delete defense_evasion_virtual_network_device_modified.toml
* Moved to correct directory.
* Suppression Rule Created
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update defense_evasion_suppression_rule_created.toml
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/defense_evasion_suppression_rule_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 96ada9e223
2022-01-20 11:48:22 +00:00
6e0b222524
[New Rule] Group Policy Abuse for Privilege Addition ( #1603 )
...
* "Group Policy Abuse for Privilege Addition" Initial Rule
* Update privilege_escalation_group_policy_privileged_groups.toml
* Add related rules
* fix missing comma
* Update non-ecs-schema.json
* Remove duplicated entries
* update note with code format
* Update rules/windows/privilege_escalation_group_policy_privileged_groups.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d7116485f3
2022-01-20 11:42:56 +00:00
70743a121c
[Rule Tuning] O365 Excessive Single Sign-On Logon Errors ( #1680 )
...
* Change event.category to authentication
The original had the event.category as "web" the correct value is "authentication"
* Changed updated_date to todays date
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 101b781bef
2022-01-20 11:34:29 +00:00
e9a47c69f4
[New Rule] Scheduled Task Execution at Scale via GPO ( #1605 )
...
* "Scheduled Task Execution at Scale via GPO" Initial Rule
* Update non-ecs-schema.json
(cherry picked from commit 865771886e
2022-01-20 01:08:49 +00:00
d0b144acbc
[New Rule] PowerShell PSReflect Script ( #1558 )
...
(cherry picked from commit 7bbeaf3053
2022-01-20 00:32:55 +00:00
8459789a3a
[Rule Tuning] Connection to Commonly Abused Web Services ( #1708 )
...
Added Discord domains often abused to stage malicious files.
(cherry picked from commit 6a0164cbd3
2022-01-17 17:54:17 +00:00
501489b26c
[New Rule] Microsoft Defender Tampering ( #1575 )
...
* Create defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_microsoft_defender_tampering.toml
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_microsoft_defender_tampering.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit fd824d1fd5
2022-01-13 22:51:57 +00:00
0248772eb1
[New Rule] Mailbox Audit Logging Bypass ( #1702 )
...
* "Mailbox Audit Logging Bypass" Initial Rule
* Add reference
* Update rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit af354dc7e8
2022-01-13 20:35:10 +00:00
9dc4500cd7
[Rule Tuning] Change Rules to use Source.ip instead of source.address ( #1704 )
...
* Replace source.address to source.ip for compatibility
* Change query
* Missing and condition
(cherry picked from commit cbf0798646
2022-01-13 19:42:08 +00:00
6d784aa605
[New Rule] Shadowcopy via Symlink ( #1675 )
...
* Create credential_access_shadowcopy_via_symlink.toml
* Update credential_access_shadowcopy_via_symlink.toml
* Update and rename credential_access_shadowcopy_via_symlink.toml to credential_access_shadowcopy_via_mklink.toml
* Update credential_access_shadowcopy_via_mklink.toml
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/credential_access_shadowcopy_via_mklink.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update credential_access_shadowcopy_via_mklink.toml
* Rename credential_access_shadowcopy_via_mklink.toml to credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
* Update credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
(cherry picked from commit 25327134a6
2022-01-12 10:55:35 +00:00
0386728a6a
[New Rule] PowerShell Suspicious Script with Screenshot Capabilities ( #1581 )
...
* Create collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update collection_posh_screen_grabber.toml
* Update rules/windows/collection_posh_screen_grabber.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update query condition
* lint
* Update execution_python_tty_shell.toml
* Revert "Update execution_python_tty_shell.toml"
This reverts commit d2d72ea5726415caca8786d59446b6dd60dcee54.
* Update collection_posh_screen_grabber.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 899642dd78
2021-12-14 22:32:39 +00:00
1b123098a3
[New Rules] PowerShell Suspicious Payload Encoded and Compressed ( #1580 )
...
* Create defense_evasion_posh_compressed.toml
* Update defense_evasion_posh_compressed.toml
* Add GzipStream, cover common variations withou using wildcard
* Update defense_evasion_posh_compressed.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Add false_positives
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit f2a28e49fb
2021-12-14 22:27:06 +00:00
56dc73f7fa
[Rule Tuning] Bump max_signals on Endgame Promotion Rules ( #1662 )
...
* bump endgame max_signals to 10000
* bump updated_date
(cherry picked from commit 9cc342dab7
2021-12-14 14:54:18 +00:00
c44d51675d
[Rule tuning] fix name for GCP Kubernetes Rolebindings Created or Patched ( #1661 )
...
(cherry picked from commit 9a60d7a26a
2021-12-13 18:02:03 +00:00
0dcd5e82c8
[Rule Tuning] Suspicious JAR Child Process ( #1657 )
...
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
(cherry picked from commit 410d4e5929
2021-12-11 01:06:29 +00:00
8d0275fe03
[New Rule] PowerShell Reflection Assembly Load ( #1559 )
...
* Create defense_evasion_posh_assembly_load.toml
* Update defense_evasion_posh_assembly_load.toml
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Change event.code to event.category
* Update rules/windows/defense_evasion_posh_assembly_load.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d4e06beee6
2021-12-08 21:01:25 +00:00
3f6c9ac2bd
[Rule Tuning] Powershell Defender Exclusion ( #1644 )
...
* Split process.args condition
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit ee548328d5
2021-12-08 14:53:33 +00:00
1056bc516f
[New Rule] Enumeration of Privileged Local Groups Membership ( #1557 )
...
* [New Rule] Enumeration of Privileged Local Groups Membership
* Update non-ecs-schema.json
* Update discovery_privileged_localgroup_membership.toml
* removed endpoint index (not needed)
* Update rules/windows/discovery_privileged_localgroup_membership.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b85818f49c
2021-12-08 10:25:38 +00:00
75b8fc94fd
[New Rule] Privilege Escalation via Rogue Named Pipe Impersonation ( #1544 )
...
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_via_rogue_named_pipe.toml
* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 434e2d0426
2021-12-08 10:23:08 +00:00
1370ce26fa
[New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot ( #1632 )
...
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot
Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).
* adding extra ref url
(cherry picked from commit e3b76b7cf7
2021-12-08 10:18:18 +00:00
857ec6ba94
[Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules ( #1620 )
...
* Replaces event.code with event.category
* bump updated_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 851c566730
2021-12-08 06:34:37 +00:00
8182d73800
Add issue to min_stack_comment ( #1652 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit b7b5449033
2021-12-08 00:54:32 +00:00
a8919b9070
[Rule Tuning] updates from documentation review for 7.16 ( #1645 )
...
(cherry picked from commit 14c46f50b9
2021-12-08 00:45:10 +00:00
f37235581c
Add min_stack and indexes back ( #1648 )
...
(cherry picked from commit c21337fe4f
2021-12-07 13:02:54 +00:00
396cee32f1
[Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL ( #1651 )
...
* Update command_and_control_download_rar_powershell_from_internet.toml
* bump updated_date
(cherry picked from commit 7b0383ffe2
2021-12-07 12:11:11 +00:00
e37fc97c57
Limit index to logs-endpoint.events ( #1647 )
...
(cherry picked from commit f6a2437cf8
2021-12-06 16:47:17 +00:00
d1fe62d903
[New Rule] Suspicious Process Creation CallTrace ( #1588 )
...
* [New Rule] Suspicious Process Creation CallTrace
* Update non-ecs-schema.json
* added min stack vers
* min_stack_vers not needed
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d43e3d8e4e
2021-11-30 20:37:41 +00:00
d098c58d27
[Rule Tuning] Support ECS 1.11 field for IM rule ( #1560 )
...
* Support ecs field for IM rule
* update time interval
* Change additional lookback to 5 minutes
* Add old rule
* Add newline
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Remove im legacy rule
* Udpdate name and description
* Remove min_stack_comment
* Keep 2 IM rule
* add min_stack_comments to rule
* Update rules/cross-platform/threat_intel_indicator_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adds new rules
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ece Özalp <ozale272@newschool.edu >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
(cherry picked from commit c619844b0d
2021-11-30 18:27:52 +00:00
423145dae7
[New Rule] Azure Kubernetes Rolebindings Created ( #1576 )
...
* Create azure_kubernetes_rolebinding_created_or_deleted.toml
* Update
* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml
* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml
* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 521f0987ae
2021-11-29 12:18:02 +00:00
c49501c4cc
[New Rule] Clearing Windows Console History ( #1623 )
...
* Create defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update defense_evasion_clearing_windows_console_history.toml
* Update rules/windows/defense_evasion_clearing_windows_console_history.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* bump severity
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 13fc69b70a
2021-11-25 16:27:24 +00:00
5572d8669e
[New Rule] Windows Firewall Disabled ( #1565 )
...
* Create defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Update defense_evasion_windows_firewall_profile_disabled.toml
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Update defense_evasion_windows_firewall_disabled.toml
* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update defense_evasion_powershell_windows_firewall_disabled.toml
* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update defense_evasion_powershell_windows_firewall_disabled.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit 2ac19440c2
2021-11-24 21:36:02 +00:00
7f59fbb235
[Rule Tuning] Component Object Model Hijacking ( #1491 )
...
* Update persistence_suspicious_com_hijack_registry.toml
Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.
* Update updated_date
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
(cherry picked from commit dd3e924e4a
2021-11-24 11:59:49 +00:00
3e5ed57546
[New Rule] Potential Credential Access via Renamed COM+ Services DLL ( #1569 )
...
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL
* update dates
* adding config note
* relinted
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update minstack version
* minstack not needed, rule should work on previous versions
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit d1636258e4
2021-11-18 09:30:02 +00:00
97bb3d5bc4
[New Rule] Account Password Reset Remotely ( #1571 )
...
* [New Rule] Account Password Reset Remotely
* Update non-ecs-schema.json
* udpate ruleId
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/windows/persistence_remote_password_reset.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 53a17e6b06
2021-11-18 09:28:05 +00:00
ffcca8239e
[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed ( #1579 )
...
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 3dd32608a0
2021-11-17 22:40:16 +00:00
3f3328a630
[New Rule] PowerShell Keylogging Script ( #1561 )
...
* Create collection_posh_keylogger.toml
* Apply suggestions from Samir
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Fix missing OR
* Change dup guid
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 4b6794df32
2021-11-17 22:39:05 +00:00
c6068391a1
[Rule Tuning] Suspicious CertUtil Commands ( #1564 )
...
(cherry picked from commit ab521f7c4f
2021-11-17 20:43:07 +00:00
0e20e08eef
[New Rule] Potential Process Injection via PowerShell ( #1552 )
...
* Create defense_evasion_posh_process_injection.toml
* Update defense_evasion_posh_process_injection.toml
* Update description
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Apply suggestions from Justin
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
(cherry picked from commit 9c54e21820
2021-11-17 10:35:29 +00:00
Jonhnathan