security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

946 Commits

Author SHA1 Message Date
Austin Songer 25327134a6 [New Rule] Shadowcopy via Symlink (#1675) 
* Create credential_access_shadowcopy_via_symlink.toml

* Update credential_access_shadowcopy_via_symlink.toml

* Update and rename credential_access_shadowcopy_via_symlink.toml to credential_access_shadowcopy_via_mklink.toml

* Update credential_access_shadowcopy_via_mklink.toml

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_shadowcopy_via_mklink.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_shadowcopy_via_mklink.toml

* Rename credential_access_shadowcopy_via_mklink.toml to credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml

* Update credential_access_symbolic_link_to_shadow_copy_createdcredential_access_symbolic_link_to_shadow_copy_created.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2022-01-12 07:52:37 -03:00
Jonhnathan 899642dd78 [New Rule] PowerShell Suspicious Script with Screenshot Capabilities (#1581) 
* Create collection_posh_screen_grabber.toml

* Update collection_posh_screen_grabber.toml

* Update collection_posh_screen_grabber.toml

* Update collection_posh_screen_grabber.toml

* Update rules/windows/collection_posh_screen_grabber.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update query condition

* lint

* Update execution_python_tty_shell.toml

* Revert "Update execution_python_tty_shell.toml"

This reverts commit d2d72ea5726415caca8786d59446b6dd60dcee54.

* Update collection_posh_screen_grabber.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-14 19:30:45 -03:00
Jonhnathan f2a28e49fb [New Rules] PowerShell Suspicious Payload Encoded and Compressed (#1580) 
* Create defense_evasion_posh_compressed.toml

* Update defense_evasion_posh_compressed.toml

* Add GzipStream, cover common variations withou using wildcard

* Update defense_evasion_posh_compressed.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add false_positives

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-14 19:25:11 -03:00
Jonhnathan d4e06beee6 [New Rule] PowerShell Reflection Assembly Load (#1559) 
* Create defense_evasion_posh_assembly_load.toml

* Update defense_evasion_posh_assembly_load.toml

* Update rules/windows/defense_evasion_posh_assembly_load.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Change event.code to event.category

* Update rules/windows/defense_evasion_posh_assembly_load.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 17:59:17 -03:00
Jonhnathan ee548328d5 [Rule Tuning] Powershell Defender Exclusion (#1644) 
* Split process.args condition

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:51:32 -03:00
Samirbous b85818f49c [New Rule] Enumeration of Privileged Local Groups Membership (#1557) 
* [New Rule] Enumeration of Privileged Local Groups Membership

* Update non-ecs-schema.json

* Update discovery_privileged_localgroup_membership.toml

* removed endpoint index (not needed)

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:23:42 +01:00
Samirbous 434e2d0426 [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation (#1544) 
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_via_rogue_named_pipe.toml

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-08 11:21:04 +01:00
Samirbous e3b76b7cf7 [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632) 
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot

Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).

* adding extra ref url
 2021-12-08 11:16:14 +01:00
Jonhnathan 851c566730 [Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620) 
* Replaces event.code with event.category

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-07 21:32:39 -09:00
Jonhnathan b7b5449033 Add issue to min_stack_comment (#1652) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-12-07 15:52:38 -09:00
Justin Ibarra 14c46f50b9 [Rule Tuning] updates from documentation review for 7.16 (#1645) 2021-12-07 15:42:58 -09:00
Jonhnathan c21337fe4f Add min_stack and indexes back (#1648) 2021-12-07 10:00:58 -03:00
Jonhnathan f6a2437cf8 Limit index to logs-endpoint.events (#1647) 2021-12-06 13:45:12 -03:00
Samirbous d43e3d8e4e [New Rule] Suspicious Process Creation CallTrace (#1588) 
* [New Rule] Suspicious Process Creation CallTrace

* Update non-ecs-schema.json

* added min stack vers

* min_stack_vers not needed

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-30 21:35:43 +01:00
Austin Songer 13fc69b70a [New Rule] Clearing Windows Console History (#1623) 
* Create defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* bump severity

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-25 13:25:21 -03:00
Austin Songer 2ac19440c2 [New Rule] Windows Firewall Disabled (#1565) 
* Create defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-24 18:34:12 -03:00
LaZyDK dd3e924e4a [Rule Tuning] Component Object Model Hijacking (#1491) 
* Update persistence_suspicious_com_hijack_registry.toml

Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.

* Update updated_date

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-24 08:57:43 -03:00
Samirbous d1636258e4 [New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569) 
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL

* update dates

* adding config note

* relinted

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update minstack version

* minstack not needed, rule should work on previous versions

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-18 10:27:42 +01:00
Samirbous 53a17e6b06 [New Rule] Account Password Reset Remotely (#1571) 
* [New Rule] Account Password Reset Remotely

* Update non-ecs-schema.json

* udpate ruleId

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-18 10:25:50 +01:00
Jonhnathan 4b6794df32 [New Rule] PowerShell Keylogging Script (#1561) 
* Create collection_posh_keylogger.toml

* Apply suggestions from Samir

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix missing OR

* Change dup guid

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 19:36:40 -03:00
Austin Songer ab521f7c4f [Rule Tuning] Suspicious CertUtil Commands (#1564) 2021-11-17 11:41:07 -09:00
Jonhnathan 9c54e21820 [New Rule] Potential Process Injection via PowerShell (#1552) 
* Create defense_evasion_posh_process_injection.toml

* Update defense_evasion_posh_process_injection.toml

* Update description

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 07:33:13 -03:00
Samirbous e99478db00 [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) 
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

* lint

* Update etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* moved FP txt to Note.

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update etc/non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* fix json

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-11-17 08:45:38 +01:00
Samirbous c18c08a976 [New Rule] Potential Credential Access via LSASS Memory Dump (#1533) 
* [New Rule] Potential Credential Access via LSASS Memory Dump

* Update credential_access_suspicious_lsass_access_memdump.toml

* fix typo in calltrace and event.code type

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_suspicious_lsass_access_memdump.toml

* added TargetImage to non ecs schema

* Update non-ecs-schema.json

* format

* Update credential_access_suspicious_lsass_access_memdump.toml

* Update credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-11-17 08:36:26 +01:00
Jonhnathan 858d1cf12c [New Rule] PowerShell Suspicious Script with Audio Capture Capabilities (#1582) 2021-11-15 21:19:38 -09:00
Samirbous 81a62f5f68 [New Rule] Suspicious Process Access via Direct System Call (#1536) 
* [New Rule] Suspicious Process Access via Direct System Call

* updated query to catch also CallTrace with non ntdll modules

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-11-15 10:18:26 +01:00
Jonhnathan 017d9a51b7 [Rule Tuning] Rename extrac.exe to extrac32.exe (#1601) 2021-11-14 17:01:13 -09:00
Austin Songer ef7548f04c [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) 
* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_webshell_detection.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_system_shells_via_services.toml

* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_system_shells_via_services.toml

* Update persistence_webshell_detection.toml

* Update rules/windows/persistence_local_scheduled_task_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 12:16:31 -03:00
Jonhnathan 239384497f [New Rule] PowerShell MiniDump Script (#1528) 
* PowerShell MiniDump Script Initial Rule

* Update credential_access_posh_minidump.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_posh_minidump.toml

* Update rules/windows/credential_access_posh_minidump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 12:09:16 -03:00
Justin Ibarra 5a69ceb0c5 Add test for improper rule demotion (released production -> development) (#1555) 2021-10-19 21:47:36 -08:00
Justin Ibarra 5bdf70e72c Add min_stack_comments to metadata schema (#1573) 
* Add min_stack_comments to metadata schema
 2021-10-19 20:52:53 -08:00
Jonhnathan f50fb1d61b [New Rule] Suspicious Portable Executable Encoded in Powershell Script (#1562) 
* Create execution_posh_portable_executable.toml

* Add wildcard

* Remove the wildcard

* Update rules/windows/execution_posh_portable_executable.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-18 17:50:16 -03:00
Austin Songer cf2b3ee753 [New Rule] DNS-over-HTTPS Enabled by Registry (#1379) 
* Create defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-10-15 23:25:12 -03:00
Jonhnathan b7dcbbae72 [New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548) 
* PowerShell Suspicious Discovery Related Windows API Functions Initial Rule

* Update severity

* Lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-14 06:54:45 -03:00
Jonhnathan cc241c0b5e [Rule Tuning] Update network.direction (#1547) 
* Update network.direction

* bump updated_date
 2021-10-13 21:46:36 -03:00
LaZyDK 43f0d77033 Update defense_evasion_execution_windefend_unusual_path.toml (#1492) 
* Update defense_evasion_execution_windefend_unusual_path.toml

Add Microsoft Security Client to exclusions.

* Update defense_evasion_execution_windefend_unusual_path.toml

Update updated_date

* Updated author

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-05 16:38:01 -03:00
Andrew Pease d5a8f41864 [Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524) 
* Updated rule to include resizing

* lint

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-04 16:00:35 -03:00
Jonhnathan f2b58cc0ab [New Rule] Backup Files Deletion (#1516) 
* Add Backup Files Deletion Initial Rule

* Fix creation date

* Add updated_date

* Adjust description and query

* Update Description

* Update rules/windows/impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add false_positives

* Update impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-04 15:55:52 -03:00
Austin Songer 6298f7b00a [New Rule] Volume Shadow Copy Deletion via PowerShell (#1358) 
* Create defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Rename defense_evasion_volume_shadow_copy_deletion_via_powershell.toml to impact_volume_shadow_copy_deletion_via_powershell.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Add trailing /

* Update rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-04 14:58:02 -03:00
Jonhnathan 5e4a7e67df [Rule Tuning] Small update on rule descriptions (#1508) 2021-09-30 12:54:15 -08:00
Samirbous 521e4dc8f1 [New Rule] Potential Lsass Memory Dump via MirrorDump (#1504) 
* [New Rule] Potential Lsass Memory Dump via MirrorDump

* added tactic

* switched to kql

* added sysmon process access non ecs types

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* rule.name as suggested by Justin and converted to EQL to add comments

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-30 10:16:36 +02:00
Justin Ibarra 63d6a54804 [Rule Tuning] Add system index to Windows Event Logs Cleared (#1502) 2021-09-24 12:04:56 -05:00
Jonhnathan 61afb1c1c0 [Rule Tuning] Update threat mappings for Windows rules (#1497) 
* Windows Rules Att&ck Mapping review

* Bump updated_date and fix reference URLs

* Fix subtechnique

* Fix test errors
 2021-09-23 12:08:38 -05:00
Jonhnathan f6421d8c53 Additional Att&ck Mappings for credential access Rules (#1495) 
Updates MITRE Technique IDs for Credential Access DRs
 2021-09-21 11:04:16 -05:00
dstepanic17 9ff3873ee7 [rule-tuning] Adding more context with triage/investigation (#1481) 
* [rule-tuning] Adding more context with triage/investigation

* Adding mimikatz rule

* Fixed updated date on mimikatz rule

* Adding Defender update

* Adding scheduled task

* Adding AdFind

* Adding rare process

* Adding cloudtrail country

* Adding cloudtrail spike

* Adding threat intel

* Fixed minor spelling/syntax

* Fixed minor spelling/syntax p2

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/ml/ml_rare_process_by_host_windows.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Removed MITRE link, added Microsoft

* Update ml_cloudtrail_error_message_spike.toml

* Update ml_cloudtrail_rare_method_by_country.toml

* Update ml_rare_process_by_host_windows.toml

* Update credential_access_mimikatz_powershell_module.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update discovery_adfind_command_activity.toml

* Update lateral_movement_dns_server_overflow.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-15 20:07:21 -05:00
Samirbous 0875c1e4c4 [New Rule] Behavior Rule for CVE-2021-40444 Exploitation (#1479) 
* [New Rule] Behavior Rule for CVE-2021-40444 Exploitation

* added a ref

* replaced \ with /

* removed unecessary wildcard
 2021-09-08 21:26:14 +02:00
dstepanic17 cb27c686e0 Adding control.exe (#1477) 2021-09-08 13:30:46 -05:00
Justin Ibarra 655f7d91d0 [Rule tuning] Fix spacing in reference URLs (#1455) 2021-08-31 15:59:06 -08:00
dstepanic17 8ddffc298b [New rule] Webshell Detection (#1448) 
* [new-rule] Webshell Detection

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Added FP note section

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-08-24 15:17:28 -05:00
Justin Ibarra 8099e1c733 [Rule Tuning] Add technique T1005 to 2 rules (#1405) 2021-08-20 00:19:11 -08:00