192047f46d
[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell ( #2663 )
2023-03-27 11:50:53 -03:00
3bfe3060a2
[Rule Tuning] Uncommon Registry Persistence Change ( #2538 )
...
* [Rule Tuning] Uncommon Registry Persistence Change
* updated updated_date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-26 00:35:23 +01:00
76500f0d46
[New Rule] Google Workspace Drive - Encryption Key(s) Accessed from Anonymous User ( #2654 )
...
* new rule 'Google Workspace Drive Encryption Key(s) Accessed from Anonymous User'
* updated MITRE ATT&CK mappings
2023-03-24 12:21:56 -04:00
32ca0001ff
[Rule Tuning] Untrusted Driver Loaded ( #2656 )
2023-03-23 08:26:52 -03:00
0d1fca454a
New Rule: Suspicious Mining Process Creation Event ( #2531 )
...
* New Rule: Suspicious Mining Process Creation Event
* added host.os.type==linux
* trying to fix unit testing
* Revert "trying to fix unit testing"
This reverts commit ab3f371300fa400baa287b54e5f38b4855fc6512.
* unit testing fix attempt
* Revert "unit testing fix attempt"
This reverts commit 8b59343a5923a004423cf665b167611ef0129a9d.
* added endgame support
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-21 16:35:25 +01:00
7be5788945
[New Rule] Google Workspace Resource Copied from External Drive ( #2627 )
...
* added new rule 'Google Workspace Resource Copied from External Drive'
* adjusted mitre att&ck subtechnique ID
2023-03-20 14:37:58 -04:00
2c5470349c
[New Rule] External User Added to Private Organization Group ( #2577 )
...
* new rule 'External User Added to Google Workspace Group'
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/google_workspace/initial_access_external_user_added_to_google_workspace_group.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added Investigation Guide tag
---------
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-20 14:32:42 -04:00
eab30d7456
[Rule Tuning] Namespace Manipulation Using Unshare ( #2599 )
...
* [Rule Tuning] Namespace Manipulation Using Unshare
* reverted updated_date change
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-20 07:36:47 -03:00
672211500c
[Rule Fix] Privileged SSH Brute Force Detected ( #2595 )
2023-03-14 15:42:58 -04:00
f52a744259
[New Rule] RC Script Creation ( #2607 )
...
* [New Rule] RC Script Creation
* fixed unit testing error
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
* Update rules/linux/persistence_rc_script_creation.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* added host.os.type==linux
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-03-14 15:03:41 -04:00
295fc323a1
[Rule Tunings] System Time & Service Discovery ( #2589 )
...
* [Rule Tuning] System Time Discovery
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-14 14:43:21 -04:00
1a5bc7e924
[Rule Tuning] Abnormal PID or Lock File Created ( #2600 )
2023-03-14 14:37:00 -04:00
181b56c636
[Rule Tuning] Process Created with an Elevated Token (TiWorker.exe) ( #2622 )
2023-03-07 19:57:34 -05:00
38b8311482
[Security Content] Expand Abbreviated Tags ( #2414 )
...
* [Security Content] Expand Abbreviated Tags
* .
* Update privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Revert changes to deprecated rules
* Bump updated_date
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-03-06 17:37:52 -03:00
0273d118a6
[Rule Tuning] Add endgame support for Windows Rules ( #2428 )
...
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* 1/2
* bump updated_date
* 2/3
* Finale
* Update persistence_evasion_registry_ifeo_injection.toml
* .
* Multiple fixes
* Missing index
* Missing AND
2023-03-06 12:47:11 -03:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
a71620a99b
[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell ( #2614 )
2023-03-05 14:59:17 -03:00
bb4f7acf27
deprecate 'Google Workspace User Group Access Modified to Allow External Access' ( #2576 )
...
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-03-02 11:29:14 -05:00
46b18b5a07
[New Rule] Google Workspace - Suspended User Account Renewed ( #2592 )
...
* new rule for suspended user account renewal in Google Workspace
* fixed risk score; toml linted
* Update rules/integrations/google_workspace/initial_access_google_workspace_suspended_user_renewed.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
---------
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
2023-03-02 11:23:49 -05:00
1a4510c9d4
[Security Content] Add Investigation Guides to Windows Rules - 2 ( #2534 )
...
* [Security Content] Add Investigation Guides to Windows Rules - 2
* tags
* Adjust some phrasing based on the review
* Update credential_access_bruteforce_admin_account.toml
* Missing Osquery Note
* Missing note
2023-03-01 21:23:09 -03:00
5f83433ecb
New Rule to identify potential linux credential dumping ( #2604 )
2023-03-01 21:00:02 +05:30
539cd945a9
New Rule to identify iptables or firewall disabling. ( #2591 )
2023-03-01 17:14:45 +05:30
66359012c3
[Rule Tuning] Potential Shadow File Read via CLI ( #2594 )
2023-02-28 18:26:38 +01:00
c3d8bac402
[Security Content] Add Investigation Guides to Windows rules ( #2521 )
...
* [Security Content] Add Investigation Guides to Windows rules
* .
* Add IG tag
* Apply suggestions from review
* Address reviews
* address note
* Update defense_evasion_amsi_bypass_dllhijack.toml
* Update defense_evasion_amsi_bypass_powershell.toml
2023-02-22 18:13:13 -03:00
f17b6f1702
[Security Content] Fix verbiage used on Osquery Note ( #2513 )
...
* [Security Content] Fix verbiage used on Osquery Note
* Adjust verbiage
* date bump
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-02-22 12:33:23 -03:00
9bef3857f9
[Rule Tuning] Remote System Discovery Commands ( #2500 )
...
* [Rule Tuning] Remote System Discovery Commands
- Added to query to add additional remote system discovery tools : nltest, dsquery, net
* Update discovery_remote_system_discovery_commands_windows.toml
-added dsget.exe
* update date
* removed git comments
* removed extra ( from query
2023-02-21 18:39:51 -05:00
f04ebf277c
[Rule Tuning] ( #2537 )
...
add t1018 Remote system discovery
2023-02-15 14:58:29 -05:00
7df801f5c2
[Rule Tuning] Add missing techniques ( #2482 )
...
* tune for missing techniques
-added missing techniques to rules
* added same missing techniques to another rule
- updated_date for all files - added missing techniques to a 3rd rule
* added T1057 technique
added T1057 technique for Process discovery
2023-02-10 15:07:19 -05:00
f8e97da549
Rule Tuning Update MITRE Details ( #2526 )
...
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-02-10 23:05:28 +05:30
443478c8c0
[Rule Tuning] Rule Tunings to add T1078 technique and subtechniques ( #2530 )
...
- add sub-techniques and techniques
2023-02-08 11:18:13 -05:00
54b2f7582e
Update defense_evasion_unusual_ads_file_creation.toml ( #2522 )
2023-02-07 09:40:42 -03:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
cd2307ba7d
[New Rule] FirstTimeSeen User Performing DCSync ( #2433 )
...
* Create credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-02-02 15:44:31 +00:00
4bfcbeab36
[Rule Tuning] Unusual Network Activity from a Windows System Binary ( #2509 )
...
* [Rule Tuning] Unusual Network Activity from a Windows System Binary
* Update defense_evasion_network_connection_from_windows_binary.toml
2023-02-01 13:19:28 -03:00
748bdbf8b1
[New Rule] Enumerating Domain Trusts via Dsquery.exe ( #2508 )
...
* [New Rule] Enumerating Domain Trusts via Dsquery.exe
T1482 Domain Trust Discovery
New rule to capture domain trust discovery with dsquery.
* Update discovery_enumerating_domain_trusts_via_dsquery.toml
I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq
Other than that, LGTM!
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-02-01 10:27:42 -05:00
c6125004c1
[New Rules] WSL Related Rules ( #2463 )
...
* Create defense_evasion_wsl_registry_modification.toml
* Create defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_registry_modification.toml
* Update defense_evasion_wsl_child_process.toml
* Create defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_enabled_via_dism.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Delete defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Create defense_evasion_wsl_bash_exec.toml
* Delete defense_evasion_wsl_bash_exec.toml
* Create defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_registry_modification.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_kalilinux.toml
2023-02-01 15:10:28 +00:00
7fe08e7856
Update persistence_service_windows_service_winlog.toml ( #2516 )
2023-02-01 14:34:30 +00:00
be5cd23a64
[New Rules] Code Signing Policy Modification ( #2510 )
...
* [New Rules] Code Signing Policy Modification
* Fixed description & tags
* cleaned the query syntax
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-02-01 15:30:15 +01:00
5a31cb250d
[Rule Tuning] Unusual File Modification by dns.exe ( #2505 )
2023-02-01 11:10:05 -03:00
8c2cbae5a8
[New Rule] Potential PowerShell HackTool Script by Function Names ( #2474 )
...
* [New Rule] Potential PowerShell HackTool Script by Function Names
* Update execution_posh_hacktool_functions.toml
* Update execution_posh_hacktool_functions.toml
* Update execution_posh_hacktool_functions.toml
2023-01-31 17:21:36 -03:00
8e02c60ef6
[Rule Tuning] Enclose Rule Conditions within Parenthesis ( #2486 )
2023-01-31 16:56:19 -03:00
99f177a5ae
[Rule Tuning] Potential Credential Access via DCSync ( #2501 )
2023-01-31 16:50:39 -03:00
8519fad243
[Rule Tuning] Potential Remote Credential Access via Registry ( #2511 )
...
* [Rule Tuning] Potential Remote Credential Access via Registry
* Remove WEF index
2023-01-31 15:09:32 -03:00
d636f2d465
[Rule Tuning] T1069 and T1087 - admin wildcard ( #2484 )
...
Tuned both rules:relax the conditions by adding a wildcard to admin
2023-01-30 22:01:52 -05:00
5575400ee9
[Security Content] Add Investigation Guides for ML rules ( #2405 )
...
* [Security Content] Add Investigation Guides for ML rules
* .
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Place the guide in the correct rule
* Update guides to address IG refactor, and address sugestions
---------
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-01-30 13:12:45 -03:00
54f65abdb0
[Rule Tuning] Potential Shadow Credentials added to AD Object ( #2498 )
2023-01-30 09:14:23 -03:00
b8adffa469
[New Rule] System Service Discovery through built-in Windows Utilities ( #2491 )
...
* [New Rule] System Service Discovery through built-in Windows Utilities
* added pe.original_file_name to net.exe
* fixed query style mistake
* fixed detection logic mistake
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-29 19:15:17 +01:00
c5ce910d3a
Create defense_evasion_timestomp_sysmon.toml ( #2476 )
2023-01-27 21:32:03 +00:00
b8dcc6ab4b
[New Rules] C2 via BITS and CertReq ( #2466 )
...
* Create command_and_control_certreq_postdata.toml
* Update command_and_control_certreq_postdata.toml
* Update command_and_control_certreq_postdata.toml
* Create command_and_control_ingress_transfer_bits.toml
* Update non-ecs-schema.json
* Update command_and_control_certreq_postdata.toml
* Update command_and_control_ingress_transfer_bits.toml
* Update rules/windows/command_and_control_certreq_postdata.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-01-27 20:17:36 +00:00
e737b4eb7c
[Tuning] added T1021.006 and T1563.001 ( #2497 )
...
* Update lateral_movement_incoming_winrm_shell_execution.toml
* Update lateral_movement_powershell_remoting_target.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_credential_access_modify_ssh_binaries.toml
* Update credential_access_potential_linux_ssh_bruteforce_root.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
* Update persistence_ssh_authorized_keys_modification.toml
2023-01-27 19:51:22 +00:00
Jonhnathan