a0e86e20d6
[Rule Tuning] Add windows integration index to rules ( #923 )
2021-01-28 20:53:57 -09:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
a6463b435c
[Rule Tuning] Replace line comments with block comments ( #710 )
2020-12-12 17:11:17 -09:00
19e0de3bed
[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I ( #573 )
...
* [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I
* added Execution of Persistent Suspicious Program
reworked a bit and converted Endgame rule with ID d3ffda1a-690f-43e2-89fb-f8d67b99b16b Execution of Persistent Scripts
* increased 1m the maxspan
to cover also slow startup
* fixed regsvr32 pe ofn
* adjust format
* fixed process.args
* added more suspicious COM hijack options
added also URL for reference
* fixed key.path and added ScriptletURL
* Update persistence_runtime_run_key_startup_susp_procs.toml
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* fixed error
* fixed error
* formating
* formating
* formatting
* replaced process name with path
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version and optimz and refurl
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_services_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* duplicated registry hive instead of leading wildcard
* duplicated registry hive instead of leading wildcard
* Update rules/windows/persistence_appcertdlls_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* lowered maxspan to avoid FPs
* removed cmd to avoid FPs
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appcertdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-08 20:35:18 +01:00
Justin Ibarra