sigma-rules

Author	SHA1	Message	Date
Austin Songer	17032194d8	[Rule Tuning] Suspicious WerFault Child Process (#915 ) * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml Added Article "How to Design Abnormal Child Processes Rules without Telemetry" * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-10 14:17:57 -05:00
Samirbous	2b7b1a6ab0	[Rule Tuning] Persistence via Update Orchestrator Service Hijack (#939 ) * [Rule Tuning] Persistence via Update Orchestrator Service Hijack * updated date and added execpath * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-10 20:11:45 +01:00
Nic	cbe1b66b87	[Rule Tuning] Exclude Windows Error Reporting & Printer Driver (#929 )	2021-02-10 08:53:04 -09:00
Brent Murphy	9421ccfad7	[New Rule] Unusual File Creation - Alternate Data Stream (#902 ) * Create defense_evasion_unusual_ads_file_creation.toml * lint * spacing * add logs-windows.* * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * lint Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 09:28:25 -05:00
Brent Murphy	f08312ec7f	[New Rule] Disabling User Account Control via Registry (#892 ) * Create privilege_escalation_disable_uac_registry.toml * Apply suggestions from code review Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint * spacing * add logs-windows.* * minor syntax change and final lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-10 09:11:45 -05:00
Brent Murphy	c5d6cbc2e4	[New Rule] Potential LSA Authentication Package Abuse (#903 ) * Create privilege_escalation_lsa_auth_package.toml * bump risk and sev * spacing * add logs-windows.* * Update rules/windows/privilege_escalation_lsa_auth_package.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update privilege_escalation_lsa_auth_package.toml * Update rules/windows/privilege_escalation_lsa_auth_package.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * final lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 09:00:58 -05:00
Andrew Pease	7c336a0a91	[New Rule] DefenderControl Activity (#769 ) * initial commit * updated to eql and registry vs. file * fix updated_date format Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_defendercontrol_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * changed name and added registry value 3 or 4 * remove duplicate * fixed date format and lint * updated indices * removed fp and updated description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-09 10:12:54 -06:00
Samirbous	4d68377d1b	[New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation (#819 ) * [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation * replaced file.name with dll.name * Update rules/windows/privilege_escalation_persistence_phantom_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update privilege_escalation_persistence_phantom_dll.toml * Update rules/windows/privilege_escalation_persistence_phantom_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/privilege_escalation_persistence_phantom_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/privilege_escalation_persistence_phantom_dll.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-08 23:04:02 +01:00
Brent Murphy	64366218c7	adjust risk score (#938 )	2021-02-08 13:15:42 -05:00
Brent Murphy	02ee8195ab	[New Rule] Creation or Modification of Root Certificate (#927 ) * Create defense_evasion_create_mod_root_certificate.toml * update description * Update defense_evasion_create_mod_root_certificate.toml * spacing * Update rules/windows/defense_evasion_create_mod_root_certificate.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * removing process names that could lead to fn Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-08 10:01:59 -05:00
Brent Murphy	236c630c90	[Rule Tuning] Update rules using case sensitive wildcard function (#904 ) * update rules using case sensitive wildcard function * add appropriate spacing * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update == * Apply suggestions from code review * remove info update index * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update persistence_evasion_hidden_local_account_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-04 10:23:32 -05:00
Brent Murphy	ffe8e5bfc5	[Rule Tuning] Update file.name to dll.name for Library events (#893 ) * [Rule Tuning] Update file.name to dll.name for Library events * replace == with : * updated_date * removed spacing inconsistencies * jibs likes spaces * NOT again jibs	2021-02-03 11:09:29 -05:00
Brent Murphy	fdf9384e4d	[Rule Tuning] Execution from Unusual Directory - Command Line (#837 ) * Update execution_from_unusual_path_cmdline.toml * lint * Update execution_from_unusual_path_cmdline.toml	2021-02-03 10:54:19 -05:00
Brent Murphy	fd05341e70	[New Rule] Potential Port Monitor or Print Processor Registration Abuse (#901 ) * Create privilege_escalation_port_monitor_registration.toml * add non SYSTEM user * convert SYSTEM to SID - use SID to eliminate locale specific system names * update name * update to include print processor path * add reference * spacing * add logs-windows.* * update spacing	2021-02-01 16:24:49 -05:00
Justin Ibarra	a0e86e20d6	[Rule Tuning] Add windows integration index to rules (#923 )	2021-01-28 20:53:57 -09:00
Brent Murphy	70ca87138f	[New Rule] Execution of COM object via Xwizard (#896 ) * Create execution_com_object_xwizard.toml * spacing and query update * add logs-windows.*	2021-01-28 16:58:19 -05:00
brokensound77	bf32dec5a4	Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main # Conflicts: # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml	2021-01-28 10:41:39 -09:00
Brent Murphy	d0ceb8cc4e	[New Rule] SIP Provider Modification (#891 ) * Create defense_evasion_sip_provider_mod.toml * add reference	2021-01-28 09:18:19 -05:00
Samirbous	1ae769a563	[New Rule] Creation of a Hidden Local User Account (#738 ) * [New Rule] Hidden User Local Account Creation * renamed rule Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:15:50 +01:00
Brent Murphy	7fdb6b2e80	Create persistence_time_provider_mod.toml (#890 )	2021-01-25 14:42:56 -05:00
Brent Murphy	ecbb57814a	Create credential_access_saved_creds_vaultcmd.toml (#884 )	2021-01-25 14:25:35 -05:00
Brent Murphy	4639df022b	[New Rule] Modification of WDigest Security Provider (#883 ) * Create credential_access_mod_wdigest_security_provider.toml * syntax tweaks	2021-01-25 13:54:36 -05:00
Brent Murphy	8c123785f0	[New Rule] Enumeration Command Spawned via WMIPrvSE (#882 ) * Create execution_enumeration_via_wmiprvse.toml * alignment	2021-01-25 13:46:26 -05:00
Brent Murphy	01c3c718f5	[New Rule] Executable File Creation with Multiple Extensions (#881 ) * Create defense_evasion_file_creation_mult_extension.toml * spacing * Update rules/windows/defense_evasion_file_creation_mult_extension.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * update query * alignment Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2021-01-25 13:40:25 -05:00
Anabella Cristaldi	fb92c69797	[New Rule] Clearing Windows Security Logs (#529 ) * [New Rule] Clearing Windows Security Logs * Fix Date Format Error * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Add Elastic tag Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update maturity * Add Elastic to list of authors Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-11 17:17:20 -07:00
Justin Ibarra	c1a0438f45	[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) * replaced/removed all revoked/deprecated techniques * tests will fail on revoked (changed) techniques * tests will fail on deprecated techniques * tests will fail when techniques are mapped to an invalid tactic	2020-12-18 12:46:16 -09:00
Andrew Pease	889828d473	[New Rule] SUNBURST Command and Control Activity Detected (#723 ) * bump package version to 7.12 * Auth to Kibana connector using an existing cookie (#711) * initial commit * simplified by any method not to solarwinds.com * Updates from review * updated desc and note * query readability * update to optimize query to pass unit tests * optimized * optimized * Update command_and_control_sunburst_c2_activity_detected.toml * Restore package version * updated rule after rebase * re-lint Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <bmurphy@endgame.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-15 14:41:54 -06:00
Samirbous	79a5ca9b78	[New Rule] APT Solarwinds Backdoor Behavior - 5 rules (#722 ) * bump package version to 7.12 * Auth to Kibana connector using an existing cookie (#711) * [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules * ruleID * fixed process names to include both 32 and 64bits * fixed process names to include both 32 and 64 bits * deleted unnecessary condition * adjusted rule to cover cmd and ps * renamed rule and fixed tactic * added rule to SW package - Exporting MailBox with Powershell * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added details to FP tag as sug by JLB * added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted * adjusted desc and FPs * adjusted alert name as sug by DevK * Update collection_email_powershell_exchange_mailbox.toml * Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updated registry to include symlink * Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added T1195 as sug by JLB * added T1195 as sug by JLB * added T1195 as sug by JLB * added pwsh as sug by Dan * added pwsh as sug by Dan * [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725) * [New Rule] Outbound Scheduled Tasks Activity via PowerShell * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * fixed - added pwsh to seq_netblock * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Restore packages file Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-12-15 21:33:00 +01:00
Samirbous	3042cbb5d6	[New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725 ) * [New Rule] Outbound Scheduled Tasks Activity via PowerShell * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * fixed - added pwsh to seq_netblock * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-15 13:20:28 -07:00
Justin Ibarra	a6463b435c	[Rule Tuning] Replace line comments with block comments (#710 )	2020-12-12 17:11:17 -09:00
Andrew Pease	a5cd35f498	AdFind Command Activity (#395 ) * initial commit * added sub-techniques * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml * Update rules/windows/discovery_adfind_command_activity.toml * update threat mapping with sub-techniques * update technique url * remove ecs_version * convert rule to eql * added sub-techniques * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-09 15:01:28 -06:00
Andrew Pease	66506139d9	[New Rule] Detects Mimikatz via Invoke-Mimikatz (#700 ) * initial commit * lint * note updates * convert to eql and moved to dev * convert to eql and moved to dev	2020-12-09 14:51:45 -06:00
Samirbous	d5eaf5db53	[New Rule] High Number of Process and/or Services Termination (#672 ) * [New Rule] High Number of Process and/or Services Termination * removed url and fixed ruleid * fixed tags * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-09 09:00:19 +01:00
Samirbous	14fe63bb1e	[Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process (#676 ) * [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process * replaced path with name for faster comparaison * added few more cases and refurl also organized items per anomaly category * added extra refurl plus few excep * Update execution_suspicious_ms_office_child_process.toml * added parenthesis * excluded an FP	2020-12-09 08:55:58 +01:00
Justin Ibarra	e272800a5d	Add ATT&CK sub-technique support to CLI (#614 ) * Add Mitre sub-technique support to CLI * Add subtechnique enum to schema * Add test to prevent duplicative tactics in mapping	2020-12-08 21:56:55 -09:00
Justin Ibarra	24828ea9cb	[New Rule] Conversions of some APT-29 Endgame rules (#702 ) Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 14:13:34 -09:00
Samirbous	94e8fa80bb	[Rule Tuning] Suspicious Endpoint Security Parent Process (#509 ) * [Rule Tuning] added FPs and converted to EQL for more flexibilty * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * adjusted process names in scope to security agents * eql syntax * ecs_version * adjusted format * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 22:34:28 +01:00
Samirbous	538aa80bba	[New Rule] Process Termination Followed by Deletion (#482 ) * [New Rule] Process Termination Followed by Deletion * excluded SoftwareDistrib and WinSxS Folders * added drive letter for better performance * excluded signed PE * eql syntax * ecs_version * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * added few more extension as suggested by DanStep * dropped winlogbeat due to pe.codesign Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 22:26:11 +01:00
Samirbous	97fa6c62cd	[New Rule] Remote File Download via Powershell (#660 ) * [New Rule] Remote File Download via Powershell * new line * eql syntax * ecs_version * added google related FPs * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com> * relint * ecs_version removed * replaced path with name to avoid FPs for users temp folder Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>	2020-12-08 21:28:28 +01:00
Samirbous	9792d967d7	[Rule Tuning] Convert to EQL 5 existing rules (#414 ) * [Rule Tuning] 5 rules * [Rule Tuning] Converted two IIS CredAccess rules to EQL * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/evasion_rundll32_no_arguments.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * deleted. rule looks incompatible with endpoint * fixing units testing error * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * desc * fixed tags duplicate * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update defense_evasion_rundll32_no_arguments.toml * adjusted process args count to 1 adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs). Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 21:07:26 +01:00
Samirbous	afb00d7097	[New Rule] Encoded Executable Stored in the Registry (#636 ) * [New Rule] Encoded Executable Stored in the Registry * eql syntax * ecs_version * Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 20:51:14 +01:00
Samirbous	19e0de3bed	[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 ) * [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I * added Execution of Persistent Suspicious Program reworked a bit and converted Endgame rule with ID d3ffda1a-690f-43e2-89fb-f8d67b99b16b Execution of Persistent Scripts * increased 1m the maxspan to cover also slow startup * fixed regsvr32 pe ofn * adjust format * fixed process.args * added more suspicious COM hijack options added also URL for reference * fixed key.path and added ScriptletURL * Update persistence_runtime_run_key_startup_susp_procs.toml * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * fixed error * fixed error * formating * formating * formatting * replaced process name with path * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version and optimz and refurl * Update rules/windows/persistence_appinitdlls_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_registry_uncommon.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_services_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * duplicated registry hive instead of leading wildcard * duplicated registry hive instead of leading wildcard * Update rules/windows/persistence_appcertdlls_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_appinitdlls_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_registry_uncommon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_run_key_and_startup_broad.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_run_key_and_startup_broad.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_scripts.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_scripts.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * lowered maxspan to avoid FPs * removed cmd to avoid FPs * Update rules/windows/persistence_registry_uncommon.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_appcertdlls_registry.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_appinitdlls_registry.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_registry_uncommon.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_appinitdlls_registry.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 20:35:18 +01:00
Samirbous	16a49b3278	[New Rule] Windows Script Executing a Process via WMI (#643 ) * [New Rule] Windows Script Executing a Process via WMI * Update execution_scripts_process_started_via_wmi.toml * Update execution_scripts_process_started_via_wmi.toml * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * increased maxspan * eql syntax * deleted ecs_version * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 19:23:48 +01:00
Samirbous	5483712805	[New Rule] Lolbas ImageLoad via Windows Update Client (#366 ) * [New Rule] Lolbas ImageLoad via Windows Update Client * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_execution_lolbas_wuauclt.toml * removed timeline_id * new eql synthax * Update defense_evasion_execution_lolbas_wuauclt.toml * ecs_version * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * removed new lines * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * deleted ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>	2020-12-08 18:54:09 +01:00
Samirbous	1c2166b23f	[New Rule] - Execution from Unusual Directory (#433 ) * [New Rule] - Execution from Unusual Directory * adjusted lint * Update execution_from_unusual_directory.toml * small tune * Update execution_from_unusual_directory.toml * removed timeline_id * adjusted executable path for better performance * Update rules/windows/execution_from_unusual_directory.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_from_unusual_directory.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * update date * Update rules/windows/execution_from_unusual_directory.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * ecs_version * converted to eql for case insensitivity * ecs_version * fixed path * added extra path Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 18:46:56 +01:00
Samirbous	e7695f862f	[New Rule] Potential Credential Access with LolBas (#620 ) * [New Rule] Potential Credential Access with LolBas * typo * added procdump and steam lolbins * added cisco Jabber lobas * eql syntax * ecs_version * Update rules/windows/credential_access_lolbas_dump_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_lolbas_dump_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * renamed rule and filename as suggested by DanStep * adjust name and desc Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:56:25 +01:00
Samirbous	c0c369181a	[New Rule] New Port Forwarding Rule Added (#630 ) * [New Rule] New Port Forwarding Rule Added * fiexed rule file name * eql syntax * ecs_version * Update rules/windows/defense_evasion_port_forwarding_added_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_port_forwarding_added_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_port_forwarding_added_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:32:08 +01:00
Samirbous	35ee818854	[Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable (#502 ) * Converted suspicious execution via psexec to EQL * adjusted procname * eql syntax * ecs_version	2020-12-08 17:27:16 +01:00
Samirbous	63759a4bf4	[New Rule] Lsass Memory Dump Created (#618 ) * [New Rule] Lsass Memory Dump Created * added Dumpert and AndrewSpecial HKTL default memory dump filenames * added sqldumper default dmp filename * added Out-Minidump PS default dump filename * ecs_version * crackmap default lsass memdmp * Update rules/windows/credential_access_lsass_memdump_file_created.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_lsass_memdump_file_created.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:24:51 +01:00
Samirbous	feb79c0304	[New Rule] Suspicious Execution via Scheduled Task (#584 ) * [New Rule] Suspicious Execution via Scheduled Task * Update persistence_suspicious_scheduled_task_runtime.toml * Update persistence_suspicious_scheduled_task_runtime.toml * Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * eql syntax * ecs_version * added two susp_paths as suggested by Devon Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:20:21 +01:00

1 2 3 4

176 Commits