security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

178 Commits

Author SHA1 Message Date
Justin Ibarra 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) 
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
 2021-02-17 13:48:57 -09:00
brokensound77 6ce418877f Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12 
# Conflicts:
#	etc/version.lock.json
#	rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
#	rules/cross-platform/impact_hosts_file_modified.toml
#	rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
#	rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
#	rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
#	rules/linux/defense_evasion_timestomp_touch.toml
#	rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
#	rules/macos/credential_access_credentials_keychains.toml
#	rules/macos/credential_access_promt_for_pwd_via_osascript.toml
#	rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
#	rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
#	rules/promotions/external_alerts.toml
#	rules/windows/collection_email_powershell_exchange_mailbox.toml
#	rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
#	rules/windows/collection_winrar_encryption.toml
#	rules/windows/command_and_control_common_webservices.toml
#	rules/windows/command_and_control_encrypted_channel_freesslcert.toml
#	rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
#	rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
#	rules/windows/command_and_control_teamviewer_remote_file_copy.toml
#	rules/windows/credential_access_cmdline_dump_tool.toml
#	rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
#	rules/windows/credential_access_credential_dumping_msbuild.toml
#	rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
#	rules/windows/credential_access_dump_registry_hives.toml
#	rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
#	rules/windows/credential_access_iis_connectionstrings_dumping.toml
#	rules/windows/credential_access_kerberoasting_unusual_process.toml
#	rules/windows/credential_access_lsass_memdump_file_created.toml
#	rules/windows/credential_access_mimikatz_memssp_default_logs.toml
#	rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
#	rules/windows/defense_evasion_clearing_windows_event_logs.toml
#	rules/windows/defense_evasion_code_injection_conhost.toml
#	rules/windows/defense_evasion_cve_2020_0601.toml
#	rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
#	rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
#	rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
#	rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
#	rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
#	rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
#	rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
#	rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
#	rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
#	rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
#	rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
#	rules/windows/defense_evasion_hide_encoded_executable_registry.toml
#	rules/windows/defense_evasion_iis_httplogging_disabled.toml
#	rules/windows/defense_evasion_injection_msbuild.toml
#	rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
#	rules/windows/defense_evasion_masquerading_renamed_autoit.toml
#	rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
#	rules/windows/defense_evasion_masquerading_trusted_directory.toml
#	rules/windows/defense_evasion_modification_of_boot_config.toml
#	rules/windows/defense_evasion_port_forwarding_added_registry.toml
#	rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
#	rules/windows/defense_evasion_sdelete_like_filename_rename.toml
#	rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
#	rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
#	rules/windows/defense_evasion_suspicious_zoom_child_process.toml
#	rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
#	rules/windows/defense_evasion_unusual_dir_ads.toml
#	rules/windows/defense_evasion_unusual_system_vp_child_program.toml
#	rules/windows/defense_evasion_via_filter_manager.toml
#	rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
#	rules/windows/discovery_adfind_command_activity.toml
#	rules/windows/discovery_admin_recon.toml
#	rules/windows/discovery_file_dir_discovery.toml
#	rules/windows/discovery_net_command_system_account.toml
#	rules/windows/discovery_net_view.toml
#	rules/windows/discovery_peripheral_device.toml
#	rules/windows/discovery_process_discovery_via_tasklist_command.toml
#	rules/windows/discovery_query_registry_via_reg.toml
#	rules/windows/discovery_remote_system_discovery_commands_windows.toml
#	rules/windows/discovery_security_software_wmic.toml
#	rules/windows/discovery_whoami_command_activity.toml
#	rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
#	rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
#	rules/windows/execution_command_shell_started_by_powershell.toml
#	rules/windows/execution_command_shell_started_by_svchost.toml
#	rules/windows/execution_command_shell_started_by_unusual_process.toml
#	rules/windows/execution_command_shell_via_rundll32.toml
#	rules/windows/execution_from_unusual_directory.toml
#	rules/windows/execution_from_unusual_path_cmdline.toml
#	rules/windows/execution_shared_modules_local_sxs_dll.toml
#	rules/windows/execution_suspicious_cmd_wmi.toml
#	rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
#	rules/windows/execution_suspicious_pdf_reader.toml
#	rules/windows/execution_suspicious_powershell_imgload.toml
#	rules/windows/execution_suspicious_psexesvc.toml
#	rules/windows/execution_suspicious_short_program_name.toml
#	rules/windows/execution_via_compiled_html_file.toml
#	rules/windows/execution_via_hidden_shell_conhost.toml
#	rules/windows/execution_via_net_com_assemblies.toml
#	rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
#	rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml
#	rules/windows/initial_access_script_executing_powershell.toml
#	rules/windows/initial_access_suspicious_ms_office_child_process.toml
#	rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
#	rules/windows/initial_access_unusual_dns_service_children.toml
#	rules/windows/initial_access_unusual_dns_service_file_writes.toml
#	rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
#	rules/windows/lateral_movement_execution_from_tsclient_mup.toml
#	rules/windows/lateral_movement_local_service_commands.toml
#	rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
#	rules/windows/lateral_movement_rdp_enabled_registry.toml
#	rules/windows/lateral_movement_rdp_tunnel_plink.toml
#	rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
#	rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
#	rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
#	rules/windows/persistence_adobe_hijack_persistence.toml
#	rules/windows/persistence_appcertdlls_registry.toml
#	rules/windows/persistence_appinitdlls_registry.toml
#	rules/windows/persistence_evasion_registry_ifeo_injection.toml
#	rules/windows/persistence_gpo_schtask_service_creation.toml
#	rules/windows/persistence_local_scheduled_task_commands.toml
#	rules/windows/persistence_ms_office_addins_file.toml
#	rules/windows/persistence_ms_outlook_vba_template.toml
#	rules/windows/persistence_priv_escalation_via_accessibility_features.toml
#	rules/windows/persistence_registry_uncommon.toml
#	rules/windows/persistence_run_key_and_startup_broad.toml
#	rules/windows/persistence_services_registry.toml
#	rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
#	rules/windows/persistence_startup_folder_scripts.toml
#	rules/windows/persistence_suspicious_com_hijack_registry.toml
#	rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
#	rules/windows/persistence_suspicious_scheduled_task_runtime.toml
#	rules/windows/persistence_suspicious_service_created_registry.toml
#	rules/windows/persistence_system_shells_via_services.toml
#	rules/windows/persistence_user_account_creation.toml
#	rules/windows/persistence_via_application_shimming.toml
#	rules/windows/persistence_via_hidden_run_key_valuename.toml
#	rules/windows/persistence_via_lsa_security_support_provider_registry.toml
#	rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
#	rules/windows/persistence_via_update_orchestrator_service_hijack.toml
#	rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
#	rules/windows/privilege_escalation_named_pipe_impersonation.toml
#	rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
#	rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
#	rules/windows/privilege_escalation_rogue_windir_environment_var.toml
#	rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
#	rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
#	rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
#	rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
#	rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
#	rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
#	rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
#	rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
#	rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
#	rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
 2021-02-17 12:18:06 -09:00
Justin Ibarra 61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
 2021-02-16 10:52:48 -09:00
Justin Ibarra 4e6ff388fc [Rule Tuning] Feedback from 7.12 Kibana PR (#942) 2021-02-11 13:32:58 -09:00
Samirbous 142a26a010 [New Rule] Suspicious Adobe Acrobat Updates Service Child Process (#886) 
* [New Rule] Suspicious Adobe Acrobat Updates Service Child Process

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 14:08:37 +01:00
Samirbous 58f0bf5998 [Rule Tuning] Attempt to Remove File Quarantine Attribute (#781) 
* [Rule Tuning] Attempt to Remove File Quarantine Attribute

* Update defense_evasion_attempt_del_quarantine_attrib.toml

* adjusted query coverage

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-10 10:45:50 +01:00
Samirbous 51498f6022 [New Rule] Attempt to Mount an SMB Share via Command-line (#914) 
* [New Rule] Attempt to Mount an SMB Share via Command-line

* fixed tactic_id

* 2021!

* Update lateral_movement_mounting_smb_share.toml

* Update rules/macos/lateral_movement_mounting_smb_share.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/lateral_movement_mounting_smb_share.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/lateral_movement_mounting_smb_share.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* lint rule

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-09 22:08:30 +01:00
Samirbous a50a65a4d7 [Rule Tuning] Execution with Explicit Credentials via Scripting (#910) 2021-02-09 22:06:23 +01:00
Samirbous 7d4bd35bf0 [New Rule] Potential Privileges Escalation via Root Crontab File Modi… (#919) 
* [New Rule] Potential Privileges Escalation via Root Crontab File Modification

* Update privilege_escalation_root_crontab_filemod.toml

* Update rules/macos/privilege_escalation_root_crontab_filemod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_root_crontab_filemod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* lint rule

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-09 22:04:14 +01:00
Samirbous 424a182383 [New Rule] Dumping Accounts Hashes using Built-In Commands (#908) 
* [New Rule] Dumping Accounts Hashes using Built-In Commands

* fixed dates

* Update credential_access_dumping_hashes_bi_cmds.toml

* Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-09 21:49:51 +01:00
Samirbous 68f834270d [New Rule] Potential Persistence via Atom Init Script Modification (#906) 
* [New Rule] Potential Persistence via Atom Init Script Modification

* Update rules/macos/persistence_via_atom_init_file_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_via_atom_init_file_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-09 21:47:08 +01:00
Samirbous 5ae9347663 [New Rule] Suspicious Calendar File Modification (#880) 
* [New Rule] Suspicious Calendar File Modification

* description

* index

* excluding FPs by path

* Update persistence_suspicious_calendar_modification.toml

* Update persistence_suspicious_calendar_modification.toml

* Update rules/macos/persistence_suspicious_calendar_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_calendar_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-09 21:44:45 +01:00
Samirbous aa2dcd58e7 [New Rule] Persistence via DirectoryService Plugin Modification (#858) 
* [New Rule] Persistence via DirectoryService Plugin Modification

* Update persistence_directory_services_plugins_modification.toml

* adjusted description

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-09 10:59:35 +01:00
Samirbous cfd42babd1 [New Rule] Enumeration of Users or Groups using Built-In Commands (#848) 
* [New Rule] Enumeration of Users or Groups using Built-In Commands

* Update discovery_users_domain_built_in_commands.toml

* added search option

* excluded some noisy processes

* Update discovery_users_domain_built_in_commands.toml

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-09 10:50:39 +01:00
David French e507898dbd [New Rule] Attempt to Disable Gatekeeper (#841) 2021-02-08 20:25:04 -07:00
Samirbous 519078c87c [New Rule] Authorization Plugin Modification (#856) 
* [New Rule] Authorization Plugin Modification

* Update credential_access_persistence_authorization_plugin_creation.toml

* Update rules/macos/credential_access_persistence_authorization_plugin_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_persistence_authorization_plugin_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* tactic

* filename

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:14:25 +01:00
Samirbous 2092c70f11 [New Rule] Finder Sync Plugin Enabled (#735) 
* [New Rule] Finder Sync Plugin Enabled

* ref url decoded

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* excluded some common finder plugins

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:08:49 +01:00
Samirbous fb32679921 [New Rule] Access to SystemKey via Hexdump (#815) 
* [New Rule] Access to SystemKey via Hexdump

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_systemkey_dumping.toml

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:02:02 +01:00
Samirbous 6e2d8830e1 [New Rule] Attempt to Install Root Certificate (#850) 
* [New Rule]  Attempt to Install Root Certificate

* Update rules/macos/defense_evasion_install_root_certificate.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_install_root_certificate.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:49:35 +01:00
Samirbous a08adbf10c [New Rule] Suspicious Launchd Hidden Child Process (#823) 
* [New Rule] Hidden Launcd Child Process

* adjusted name and added extra ref

* severity change

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 22:43:21 +01:00
Samirbous 53db78fccc [New Rule] Lateral Movement via Kerberos using Bifrost Console (#843) 
* [New Rule] Lateral Movement via Kerberos using Bifrost Console

* adjusted kql for perf

* mitre techniques order

* added two args

* Update lateral_movement_credential_access_kerberos_bifrostconsole.toml

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:34:54 +01:00
Samirbous 429a975d14 [New Rule] Keychain Password Retrieval via Commandline (#811) 
* [New Rule] Keychain Password Retrieval via Commandline

* added false positives note

* added internet-pwd option

* extra refurl

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* fixed technique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:31:16 +01:00
Samirbous 18a4e468ce [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension (#807) 
* [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:22:16 +01:00
Brent Murphy 64366218c7 adjust risk score (#938) 2021-02-08 13:15:42 -05:00
Samirbous 6ca381763d [New Rule] Execution with Administrator Privileges via Apple Scripting (#777) 
* [New Rule] Execution with Administrator Privileges via Apple Scripting

* Update privilege_escalation_applescript_with_admin_privs.toml

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-08 17:39:22 +01:00
Samirbous ef01430ab0 [Rule Tuning] Compression of Keychain Credentials Directories (#787) 
* [Rule Tuning] Access to Keychain Credentials Directories

* linted

* renmaed rule filename

* added keychain filenames 

added filenames in case of exec from keychain working directory

* extra reference

* Update rules/macos/credential_access_credentials_keychains.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_credentials_keychains.toml

* 2021

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-02-08 17:31:04 +01:00
Samirbous 79b0a940c5 [New Rule] Attempt to Create a Hidden Local Account (#799) 
* [New Rule] Attempt to Create a Hidden Local Account

* adjusted query for perfmc

* Update persistence_account_creation_hide_at_logon.toml

* Update persistence_account_creation_hide_at_logon.toml

* Update rules/macos/persistence_account_creation_hide_at_logon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_account_creation_hide_at_logon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:24:56 +01:00
Samirbous 55998ff02a [New Rule] Creation Attempt of a Hidden Login Item via Apple Script (#801) 
* [New Rule] Creation Attempt of a Hidden Login Item via Apple Script

* fixed TID

* Update persistence_creation_hidden_login_item_osascript.toml

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:22:01 +01:00
Samirbous b9a6452001 [New Rule] Attempt to Enable the Root Account (#792) 
* [New Rule] Attempt to Enable the Root Account

* Update rules/macos/persistence_enable_root_account.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:10:43 +01:00
Samirbous b73564b541 [Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#783) 2021-02-08 16:54:39 +01:00
Samirbous 055c8ec4f7 [New Rule] Potential MacOS Privacy Controls Bypass via TCCDB Modification (#765) 
* [New Rule] Potential MacOS Privacy Controls Bypass

* added extra ref and arg if exec from TCC current directory

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* renamed

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* adjusted to catch rogue TCCDB PrivEsc Exploit

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

* relinted

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-08 16:48:53 +01:00
Samirbous 8b8cbcf8dd [Rule Tuning] Prompt for Credentials with OSASCRIPT (#759) 
* [Rule Tuning] Prompt for Credentials with OSASCRIPT

* Update credential_access_promt_for_pwd_via_osascript.toml

* Update credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* update date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 16:42:23 +01:00
Samirbous 4cb28adece [New Rule] Sublime Plugin or Application Script Modification (#761) 
* [New Rule] Sublime Plugin or Application Script Modification

* excluded some noisy procs

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added T1554

* fixed tactic

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 16:34:44 +01:00
Samirbous 6a61caa84f [New Rule] Suspicious Browser Child Process (#767) 
* [New Rule] Suspicious Browser Child Process

* auditbeat removed

auditbeat process execution does not log the parent process name.

* added more suspicious childproc

* added perl and php

* Update execution_initial_access_suspicious_browser_childproc.toml

* Update execution_initial_access_suspicious_browser_childproc.toml

* Update execution_initial_access_suspicious_browser_childproc.toml

* excluded noisy stuff

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 15:06:18 +01:00
Samirbous 4900c9a018 [New Rule] Potential Office Sandbox Evasion via ZIP File (#834) 
* [New Rule] Potential Office Sandbox Evasion via LaunchAgent ZIP File

* adjusted query to account for other autostart paths

* adjusted query and description

* Update defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

* Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* 2021!

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-04 16:47:58 +01:00
Samirbous a8931a927c [New Rule] Safari Settings Modification using Defaults Command (#861) 
* [New Rule] Safari Settings Modification using Defaults Command

* exclude some unsensitive changes

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/defense_evasion_safari_config_change.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2021-02-04 16:38:56 +01:00
Samirbous 6e59996fd0 [New Rule] Access to Browsers Credential Files (#789) 
* [New Rule] Access to Browsers Credential Files

* removed Thunderbird from list

out of browsers context, may go into a different rule with other mail clients

* adjusted Safari cookies path

to include for folder access, file access is covered by Cookies.binarycookies check

* excluded a noisy arg

* Update credential_access_access_to_browser_credentials_procargs.toml

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-04 16:34:49 +01:00
Samirbous 37ccdad0ee [New Rule] Virtual Private Network Connection Attempt (#912) 
* [New Rule] Virtual Private Network Connection Attempt

* fixed tactic_id

* Update lateral_movement_vpn_connection_attempt.toml

* Update rules/macos/lateral_movement_vpn_connection_attempt.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 18:18:09 +01:00
Samirbous 8878104f54 [New Rule] Potential Persistence via Periodic Tasks (#898) 
* [New Rule] Potential Persistence via Periodic Tasks

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 18:15:25 +01:00
Samirbous d733971e99 [New Rule] SoftwareUpdate Preferences Modification (#869) 
* [New Rule] SoftwareUpdate Preferences Modification

* Update defense_evasion_apple_softupdates_modification.toml

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_apple_softupdates_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 18:12:37 +01:00
Samirbous b1a8292462 [New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy (#830) 
* [New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy

* rename rule

* exclude FPs

* Update defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

* Update rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-03 17:54:15 +01:00
Samirbous 326bebdebe [New Rule] Execution via Electron Child Process Node.js Module (#817) 
* [New Rule] Execution via Electron ChildProc Node.js Module

* relinted

* fixed TID and adjusted KQL for perf

* fixed kql

* Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-29 19:06:49 +01:00
Samirbous ad514eaeab [New Rule] Attempt to Add an Account to the Admin Group (#803) 
* [New Rule] Attempt to Add an Account to the Admin Group

* adjusted query for perf

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_local_user_added_to_admin.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-01-29 19:03:17 +01:00
Samirbous cd3f72cf15 [New Rule] Creation of a Hidden Launch Agent or Daemon (#797) 
* [New Rule] Creation of a Hidden Launch Agent or Daemon

* updated TID

* Update persistence_evasion_hidden_launch_agent_deamon_creation.toml

* Update persistence_evasion_hidden_launch_agent_deamon_creation.toml

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* sub-technique stuff

* relint

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 19:01:15 +01:00
Samirbous a5ded6513c [New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805) 
* [New Rule] Browser Hijack via Setting the Web Proxy to Localhost

* fixed dates

* adjusted query to include traffic redirection

* relinted

* added extra arg

* reduced severity

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_mitm_localhost_webproxy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 18:58:14 +01:00
Samirbous acff6a3a5d [New Rule] 2 Rules for Persistence via Emond (#832) 
* [New Rule] 2 Rules for Persistence via Emond

* removed auditbeat index

process.parent.name not captured

* Update persistence_emond_rules_process_execution.toml

* Update rules/macos/persistence_emond_rules_file_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_file_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relint

* 2021

* Update persistence_emond_rules_process_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-29 09:16:27 +01:00
brokensound77 ec4c9e77a2 Update revoked technique 2021-01-28 11:03:17 -09:00
brokensound77 bf32dec5a4 Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main 
# Conflicts:
#	rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
 2021-01-28 10:41:39 -09:00
Samirbous 1d77932434 [New Rule] Suspicious MacOS MS Office Child Process (#779) 
* [New Rule] Suspicious MacOS MS Office Child Process

* extra bin and ref

* Update execution_suspicious_mac_ms_office_child_process.toml

* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-28 19:55:31 +01:00
Samirbous c18c5a493a [New Rule] Dumping of Keychain Content via Security Command (#785) 
* [New Rule] Dumping of Keychain Content via Security Command

* converted to eql

* added sub-technique

* 2021

* Update rules/macos/credential_access_dumping_keychain_security.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-28 19:50:41 +01:00