ddec37b731
Fix typos discovered by codespell ( #1430 )
2021-08-14 20:29:10 -08:00
14493689b9
[New Rule] Whitespace Padding in Process Command Line ( #1392 )
...
* Create defense_evasion_whitespace_padding_in_command_line.toml
* add newline
* update description
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-08-11 10:15:01 -06:00
d31ea6253e
Refresh ATT&CK mappings to v9.0 ( #1401 )
...
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
2021-08-04 14:16:10 -08:00
f8f643041a
[Rule tuning] Revise rule description and other text ( #1398 )
2021-08-03 13:07:47 -08:00
d2365783fa
[Rule Tuning] NTDS or SAM Database File Copied ( #1378 )
...
* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml to include esentutl.exe
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-08-03 12:28:17 -08:00
b736d6e748
[Rule Tuning] Rule description tweaks ( #1388 )
2021-07-29 10:56:13 -08:00
7b62fe296d
[Rule Tuning] Remove \Program Files*\ style wildcards ( #1369 )
...
* Remove \Program Files*\ style wildcards
* Convert string and remote trailing .exe check
* Fix syntax
* Escape dot
* Add missing `and`
* Fix syntax for regex string
* Convert * to .* for regex
2021-07-22 11:55:22 -06:00
4aab1278bf
[Rule Tuning] Update EQL rules with lookback < maxspan ( #1362 )
...
* [Rule Tuning] Update EQL rules with lookback < maxspan
* update intervals to be at least interval >= 1/2 maxspan
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-07-22 09:08:58 -08:00
9f3d5328f4
[Rule Tuning] Convert unusual extension rule to regex ( #1368 )
...
* Convert unusual extension rule to regex
* Update defense_evasion_file_creation_mult_extension.toml
* Fix date
* Fix extension
2021-07-21 11:49:32 -06:00
fbd4cf2117
[New Rule] Windows Defender Exclusions Added via PowerShell ( #1370 )
...
* Added new rule
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* Added pwsh.exe to original name
* Added PowerShell MITRE reference
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-07-21 11:54:11 -05:00
95e6458c6e
[Rule Tuning] Mimikatz powershell module activity detected ( #1297 )
...
* update query
* add indexes
2021-07-20 23:08:04 -08:00
c82790f588
[New Rule] Disable Windows Event and Security Logs ( #1181 )
2021-07-20 22:44:35 -08:00
4a11ef9514
[Rule Tuning] Suspicious CertUtil Commands ( #1180 )
...
* update name to Suspicious CertUtil Commands
* update description, query, and filename
2021-07-20 22:26:36 -08:00
920d973064
[Rule Tuning] External IP Lookup from Non-Browser Process ( #1147 )
...
* Added a couple domains
ipapi.co
ip-lookup.net
ipstack.com
2021-07-20 21:47:39 -08:00
81ab43898c
[New Rule] Parent Process PID Spoofing ( #1338 )
...
* [New Rule] Parent Process PID Spoofing
* excluding sihost FPs
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* relinted and added 2 non ecs fields
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_parent_process_pid_spoofing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-07-15 22:55:46 +02:00
89420ae976
[New Rule] Potential PrintNightmare Exploitation rules ( #1326 )
...
* [New Rule] Potential PrintNightmare Exploitation rules
* added Potential PrintNightmare File Modification
* added spoolsv as process name to narrow more the scope
* added Suspicious Print Spooler File Deletion
* removed Suspicious Print Driver Registry Modification cuz of potential noise
* Update privilege_escalation_printspooler_malicious_registry_modification.toml
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adjusted description and added a comment for sysmon compatibility
* added FP note and relinted all files
* Update rules/windows/privilege_escalation_printspooler_malicious_driver_file_changes.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_malicious_registry_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-07-07 18:56:39 +02:00
9fadc4c1dc
[New Rule] Complementary Rules for Recent REvil TTPs ( #1329 )
...
* [New Rule] Complementary Rules for Recent REvil TTPs
* added OFN
* relinted and added T1574.002
* removed new line
* Update defense_evasion_disabling_windows_defender_powershell.toml
* corrected rule name
* added a reference url
* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_windefend_unusual_path.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
2021-07-07 17:02:40 +02:00
12577f7380
[Rule Tuning] Update network rule address blocks ( #1227 )
...
* Update network rule address blocks
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-06-15 09:22:59 -04:00
13bf55480a
Update persistence_suspicious_com_hijack_registry.toml ( #1244 )
2021-06-14 09:00:22 -04:00
fce022c275
[New Rule] Modification of AmsiEnable Registry Key ( #1248 )
...
* Create defense_evasion_amsienable_key_mod.toml
2021-06-07 13:21:18 -04:00
6626cbb943
Update privilege_escalation_persistence_phantom_dll.toml ( #1228 )
2021-06-01 09:29:09 -04:00
c457614e37
[New Rule] Unusual Network Connection via DllHost ( #1232 )
...
* Create defense_evasion_unusual_network_connection_via_dllhost.toml
* add timestamp override
2021-05-28 15:09:09 -04:00
31e8d03438
[New Rule] Suspicious Execution from a Mounted Device ( #1230 )
...
* Create defense_evasion_suspicious_execution_from_mounted_device.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-05-28 14:44:07 -04:00
6ef5c53b0c
Cleanup note field in rules ( #1194 )
...
* standardize usage of note field
2021-05-10 13:40:56 -08:00
82ec6ac1ee
Convert windows rules from KQL to EQL ( #1114 )
2021-04-30 11:21:12 -08:00
ff45539369
[Deprecation] Deprecate inherently noisy rules based on testing ( #1122 )
...
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-04-21 15:10:06 -04:00
0400dc207a
[Deprecation] Process Discovery via Tasklist ( #1116 )
...
* [Deprecation] Process Discovery via Tasklist
* deprecation_date
* update date
* Update rules/_deprecated/discovery_process_discovery_via_tasklist_command.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-15 22:18:56 +02:00
e323084433
[Deprecation] Trusted Developer Application Usage ( #1118 )
...
* [Deprecation] Trusted Developer Application Usage
* update date
2021-04-15 22:15:38 +02:00
dbd2874b4f
[Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files ( #1026 )
...
* [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files
* revise note with information from microsoft
* add Exchange Server to paths
* replaced process.parent.name with process.name and C drive with ?
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2021-04-14 20:24:44 -08:00
8f78afb8e5
[Rule Tuning] Windows Suspicious Script Object Execution ( #1081 )
...
* [Rule Tuning] Windows Suspicious Script Object Execution
* renamed rule in version.lock.json
* adjusted codesig check
* added 1 exclusion
* update date
* added cmd to exclusion as per EG telem
* removed changes to version.lock.json
* restored comment for code sig to support winlogbeat
* Revert "removed changes to version.lock.json"
This reverts commit 62794be02486b668ae5f25e5613f18b292342377.
* restored rule name in version.lock
* fixed typo
* removed winlogbeat index
* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_scrobj_load.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 23:54:39 +02:00
7408133f79
[New Rule] Potential Remote Desktop Shadowing Activity ( #1101 )
...
* [New Rule] Potential Remote Desktop Shadowing Activity
* added event.ingested
* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_evasion_rdp_shadowing.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 22:09:49 +02:00
66dff28498
[Rule Tuning] Public IP Reconnaissance Activity ( #1091 )
...
* Delete discovery_post_exploitation_public_ip_reconnaissance.toml
* Updated ip lookup rule
* Modified index field
* Update discovery_post_exploitation_external_ip_lookup.toml
* Update discovery_post_exploitation_external_ip_lookup.toml
* Update rules/windows/discovery_post_exploitation_external_ip_lookup.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 09:58:00 -05:00
2926e98c5d
[Rule Tuning] Startup or Run Key Registry Modification ( #1086 )
...
* [Rule Tuning] Startup or Run Key Registry Modification
* update date
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:38:00 +02:00
1354d8059c
[New Rule] Network Logon Providers Registry Modification ( #1053 )
...
* [New Rule] Network Logon Providers Registry Modification
* fix mitre filename mapping error
* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_persistence_network_logon_provider_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 16:31:46 +02:00
dc774517bf
[New Rule] Persistence via Scheduled Job Creation ( #1038 )
...
* [New Rule] Persistence via Scheduled Job Creation
* Update rules/windows/persistence_local_scheduled_job_creation.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_local_scheduled_job_creation.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:15:54 +02:00
731d2b2a54
[Rule Tuning] Unusual Persistence via Services Registry ( #1077 )
...
* [Rule Tuning] Unusual Persistence via Services Registry
* update date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 16:09:46 +02:00
dd4bc3e57e
[Rule Tuning] Connection to Commonly Abused Web Services ( #1079 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* adjusted 1 exclusion
* update date
* added 3 dns.names as suggested by Daniel
* added requestbin.net used for DNS tunneling by APT34
2021-04-14 00:53:27 +02:00
0fe09aaed5
[New Rule] NullSessionPipe Registry Modification ( #1058 )
...
* [New Rule] NullSessionPipe Registry Modification
* Update lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
* Update rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 00:50:31 +02:00
0669e9be00
[New Rule] Suspicious Startup Shell Folder Modification ( #1042 )
...
* [New Rule] Suspicious Startup Shell Folder Modification
* Update rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 00:33:54 +02:00
f2bc0c685d
[Rule Tuning] Suspicious Explorer Child Process ( #1035 )
...
* [Rule Tuning] Suspicious Explorer Child Process
* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-14 00:10:29 +02:00
0cc0e3d31f
[New Rule] Persistence via BITS Job Notify Cmdline ( #1096 )
...
* [New Rule] Persistence via BITS Job Notify Cmdline
* changed severity and added 1 exclusion
* Update rules/windows/persistence_via_bits_job_notify_command.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-13 23:25:30 +02:00
af067797c2
Update defense_evasion_unusual_network_connection_via_rundll32.toml ( #1109 )
2021-04-13 16:58:30 -04:00
aa61283dfa
[Rule Tuning] Local Service Commands ( #1044 )
...
* Update lateral_movement_service_control_spawned_script_int.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-04-13 12:31:45 -04:00
414d320276
[Rule Tuning] Local Scheduled Task Commands ( #1043 )
...
* Update persistence_local_scheduled_task_commands.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2021-04-08 14:28:21 -04:00
cb5f9e6a2b
[New Rule] Persistence via WMI Standard Registry Provider ( #1040 )
...
* [New Rule] Persistence via WMI Standard Registry Provider
* Update persistence_via_wmi_stdregprov_run_services.toml
* Update persistence_via_wmi_stdregprov_run_services.toml
* fixing Mitre technique stuff
* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* added few regpaths
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-06 17:50:02 +02:00
0c70d56dcd
[Rule Tuning] Potential Command and Control via Internet Explorer ( #1070 )
...
* [Rule Tuning] Potential Command and Control via Internet Explorer
* added FP note
* update date
* added *.office.com to exclusions
2021-04-06 11:17:19 +02:00
9cff72bbcb
[Rule Tuning] Connection to Commonly Abused Web Services ( #1016 )
2021-03-19 10:23:12 +01:00
04f3cd967d
[Rule Tuning] Execution from Unusual Directory - Command Line ( #1012 )
...
* [Rule Tuning] Execution from Unusual Directory - Command Line
* format change as per JLB sugg
2021-03-19 10:16:47 +01:00
511a74ef27
[Rule Tuning] Merge and Delete duplicate rules for Registration Utilities ( #1028 )
...
* [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities
* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* restored Execution via Regsvcs/Regasm
* restored changes
* deprecated 1rule, deleted 1 and tuned 1
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-03-19 10:05:09 +01:00
83dfe911bc
[Rule Tuning] Program Files Directory Masquerading ( #1018 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-03-19 09:55:08 +01:00
Christian Clauss