security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

946 Commits

Author SHA1 Message Date
Samirbous 8e139012f7 [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream (#1014) 
* [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream

* Revert "[Rule Tuning] Unusual Process Execution Path - Alternate Data Stream"

This reverts commit 2bf2c33002f08fec1d9cc64da9795bb189625e4d.

* [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream

* Update rules/windows/defense_evasion_unusual_dir_ads.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-03-19 09:45:57 +01:00
Samirbous 21290cc055 [Rule Tuning] Command Shell Activity Started via RunDLL32 (#996) 
* [Rule Tuning] Command Shell Activity Started via RunDLL32

* relinted and added FP note

* update_date

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-18 15:14:22 +01:00
Samirbous 32714b8527 [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#988) 
* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-18 15:11:42 +01:00
Samirbous bc74838c0b [Rule Tuning] Suspicious WerFault Child Process (#990) 
* [Rule Tuning] Suspicious WerFault Child Process

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-18 15:08:44 +01:00
Justin Ibarra 0b65678d8c [Rule tuning] Correct tags with associated threat mappings (#1003) 2021-03-08 14:12:29 -09:00
Brent Murphy 309edf7f4a Create initial_access_suspicious_ms_exchange_worker_child_process.toml (#1001) 2021-03-08 16:45:27 -05:00
Justin Ibarra 0e0b2ea1a4 Update schema for threshold rule type for 7.12 (#976) 
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
 2021-03-05 14:35:50 -09:00
Justin Ibarra 0ef7d87b34 [Rule Tuning] Fix inconsistent rule indexes (#974) 
* [Rule Tuning] Fix inconsistent rule indexes
* cleaned up tests that load rules to leverage setUpClass
 2021-03-05 11:16:02 -09:00
Andrew Pease 4494b02e01 [New Rule] Microsoft Exchange Server’s Unified Messaging Spawning Vulnerability - CVE-2021-26857 (#979) 
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-03-04 16:46:49 -05:00
Andrew Pease 13a6036fcc [New Rule] HAFNIUM MS Exchange UM Service Writing - CVE-2021-26858 (#980) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-03-04 12:40:21 -09:00
Justin Ibarra 3fc34b86f2 Update License to Elastic v2 (#944) 2021-03-03 22:12:11 -09:00
Justin Ibarra 645a0cd67b [Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945) 
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
 2021-02-17 19:49:58 -09:00
brokensound77 a77bd6178f Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12 
# Conflicts:
#	rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
 2021-02-17 14:11:50 -09:00
Justin Ibarra 90a9320f93 [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951) 
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
 2021-02-17 13:48:57 -09:00
brokensound77 6ce418877f Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12 
# Conflicts:
#	etc/version.lock.json
#	rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
#	rules/cross-platform/impact_hosts_file_modified.toml
#	rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
#	rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
#	rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
#	rules/linux/defense_evasion_timestomp_touch.toml
#	rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
#	rules/macos/credential_access_credentials_keychains.toml
#	rules/macos/credential_access_promt_for_pwd_via_osascript.toml
#	rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
#	rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
#	rules/promotions/external_alerts.toml
#	rules/windows/collection_email_powershell_exchange_mailbox.toml
#	rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
#	rules/windows/collection_winrar_encryption.toml
#	rules/windows/command_and_control_common_webservices.toml
#	rules/windows/command_and_control_encrypted_channel_freesslcert.toml
#	rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
#	rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
#	rules/windows/command_and_control_teamviewer_remote_file_copy.toml
#	rules/windows/credential_access_cmdline_dump_tool.toml
#	rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
#	rules/windows/credential_access_credential_dumping_msbuild.toml
#	rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
#	rules/windows/credential_access_dump_registry_hives.toml
#	rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
#	rules/windows/credential_access_iis_connectionstrings_dumping.toml
#	rules/windows/credential_access_kerberoasting_unusual_process.toml
#	rules/windows/credential_access_lsass_memdump_file_created.toml
#	rules/windows/credential_access_mimikatz_memssp_default_logs.toml
#	rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
#	rules/windows/defense_evasion_clearing_windows_event_logs.toml
#	rules/windows/defense_evasion_code_injection_conhost.toml
#	rules/windows/defense_evasion_cve_2020_0601.toml
#	rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
#	rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
#	rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
#	rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
#	rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
#	rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
#	rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
#	rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
#	rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
#	rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
#	rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
#	rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
#	rules/windows/defense_evasion_hide_encoded_executable_registry.toml
#	rules/windows/defense_evasion_iis_httplogging_disabled.toml
#	rules/windows/defense_evasion_injection_msbuild.toml
#	rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
#	rules/windows/defense_evasion_masquerading_renamed_autoit.toml
#	rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
#	rules/windows/defense_evasion_masquerading_trusted_directory.toml
#	rules/windows/defense_evasion_modification_of_boot_config.toml
#	rules/windows/defense_evasion_port_forwarding_added_registry.toml
#	rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
#	rules/windows/defense_evasion_sdelete_like_filename_rename.toml
#	rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
#	rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
#	rules/windows/defense_evasion_suspicious_zoom_child_process.toml
#	rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
#	rules/windows/defense_evasion_unusual_dir_ads.toml
#	rules/windows/defense_evasion_unusual_system_vp_child_program.toml
#	rules/windows/defense_evasion_via_filter_manager.toml
#	rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
#	rules/windows/discovery_adfind_command_activity.toml
#	rules/windows/discovery_admin_recon.toml
#	rules/windows/discovery_file_dir_discovery.toml
#	rules/windows/discovery_net_command_system_account.toml
#	rules/windows/discovery_net_view.toml
#	rules/windows/discovery_peripheral_device.toml
#	rules/windows/discovery_process_discovery_via_tasklist_command.toml
#	rules/windows/discovery_query_registry_via_reg.toml
#	rules/windows/discovery_remote_system_discovery_commands_windows.toml
#	rules/windows/discovery_security_software_wmic.toml
#	rules/windows/discovery_whoami_command_activity.toml
#	rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
#	rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
#	rules/windows/execution_command_shell_started_by_powershell.toml
#	rules/windows/execution_command_shell_started_by_svchost.toml
#	rules/windows/execution_command_shell_started_by_unusual_process.toml
#	rules/windows/execution_command_shell_via_rundll32.toml
#	rules/windows/execution_from_unusual_directory.toml
#	rules/windows/execution_from_unusual_path_cmdline.toml
#	rules/windows/execution_shared_modules_local_sxs_dll.toml
#	rules/windows/execution_suspicious_cmd_wmi.toml
#	rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
#	rules/windows/execution_suspicious_pdf_reader.toml
#	rules/windows/execution_suspicious_powershell_imgload.toml
#	rules/windows/execution_suspicious_psexesvc.toml
#	rules/windows/execution_suspicious_short_program_name.toml
#	rules/windows/execution_via_compiled_html_file.toml
#	rules/windows/execution_via_hidden_shell_conhost.toml
#	rules/windows/execution_via_net_com_assemblies.toml
#	rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
#	rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml
#	rules/windows/initial_access_script_executing_powershell.toml
#	rules/windows/initial_access_suspicious_ms_office_child_process.toml
#	rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
#	rules/windows/initial_access_unusual_dns_service_children.toml
#	rules/windows/initial_access_unusual_dns_service_file_writes.toml
#	rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
#	rules/windows/lateral_movement_execution_from_tsclient_mup.toml
#	rules/windows/lateral_movement_local_service_commands.toml
#	rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
#	rules/windows/lateral_movement_rdp_enabled_registry.toml
#	rules/windows/lateral_movement_rdp_tunnel_plink.toml
#	rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
#	rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
#	rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
#	rules/windows/persistence_adobe_hijack_persistence.toml
#	rules/windows/persistence_appcertdlls_registry.toml
#	rules/windows/persistence_appinitdlls_registry.toml
#	rules/windows/persistence_evasion_registry_ifeo_injection.toml
#	rules/windows/persistence_gpo_schtask_service_creation.toml
#	rules/windows/persistence_local_scheduled_task_commands.toml
#	rules/windows/persistence_ms_office_addins_file.toml
#	rules/windows/persistence_ms_outlook_vba_template.toml
#	rules/windows/persistence_priv_escalation_via_accessibility_features.toml
#	rules/windows/persistence_registry_uncommon.toml
#	rules/windows/persistence_run_key_and_startup_broad.toml
#	rules/windows/persistence_services_registry.toml
#	rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
#	rules/windows/persistence_startup_folder_scripts.toml
#	rules/windows/persistence_suspicious_com_hijack_registry.toml
#	rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
#	rules/windows/persistence_suspicious_scheduled_task_runtime.toml
#	rules/windows/persistence_suspicious_service_created_registry.toml
#	rules/windows/persistence_system_shells_via_services.toml
#	rules/windows/persistence_user_account_creation.toml
#	rules/windows/persistence_via_application_shimming.toml
#	rules/windows/persistence_via_hidden_run_key_valuename.toml
#	rules/windows/persistence_via_lsa_security_support_provider_registry.toml
#	rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
#	rules/windows/persistence_via_update_orchestrator_service_hijack.toml
#	rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
#	rules/windows/privilege_escalation_named_pipe_impersonation.toml
#	rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
#	rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
#	rules/windows/privilege_escalation_rogue_windir_environment_var.toml
#	rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
#	rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
#	rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
#	rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
#	rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
#	rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
#	rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
#	rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
#	rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
#	rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
 2021-02-17 12:18:06 -09:00
Justin Ibarra 61deed3fd2 [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948) 
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
 2021-02-16 10:52:48 -09:00
Justin Ibarra 4e6ff388fc [Rule Tuning] Feedback from 7.12 Kibana PR (#942) 2021-02-11 13:32:58 -09:00
Brent Murphy 190b4ea67e [Rule Tuning] User Added to Privileged Group in Active Directory (#941) 
* Update persistence_user_account_added_to_privileged_group_ad.toml

* updated date
 2021-02-10 16:41:49 -05:00
Simon 250bb4cc27 Add Rule to Detect User creation via Eventlog (#794) 
* Add Rule to Detect User creation via Eventlog

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update persistence_user_account_creation_event_logs.toml

* update with fp info

* Update persistence_user_account_creation_event_logs.toml

* Update rules/windows/persistence_user_account_creation_event_logs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 15:48:33 -05:00
Simon f1788ec6de [New Rule] User Added to Privileged Group in Active Directory (#827) 
* [New Rule] User Added to Privileged Group in Active Directory

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* add lookback

* update description

* lint and add reference

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 14:53:15 -05:00
Austin Songer 17032194d8 [Rule Tuning] Suspicious WerFault Child Process (#915) 
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

Added Article "How to Design Abnormal Child Processes Rules without Telemetry"

* bump updated_date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-10 14:17:57 -05:00
Samirbous 2b7b1a6ab0 [Rule Tuning] Persistence via Update Orchestrator Service Hijack (#939) 
* [Rule Tuning] Persistence via Update Orchestrator Service Hijack

* updated date and added execpath

* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-10 20:11:45 +01:00
Nic cbe1b66b87 [Rule Tuning] Exclude Windows Error Reporting & Printer Driver (#929) 2021-02-10 08:53:04 -09:00
Brent Murphy 9421ccfad7 [New Rule] Unusual File Creation - Alternate Data Stream (#902) 
* Create defense_evasion_unusual_ads_file_creation.toml

* lint

* spacing

* add logs-windows.*

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 09:28:25 -05:00
Brent Murphy f08312ec7f [New Rule] Disabling User Account Control via Registry (#892) 
* Create privilege_escalation_disable_uac_registry.toml

* Apply suggestions from code review

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

* spacing

* add logs-windows.*

* minor syntax change and final lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-10 09:11:45 -05:00
Brent Murphy c5d6cbc2e4 [New Rule] Potential LSA Authentication Package Abuse (#903) 
* Create privilege_escalation_lsa_auth_package.toml

* bump risk and sev

* spacing

* add logs-windows.*

* Update rules/windows/privilege_escalation_lsa_auth_package.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update privilege_escalation_lsa_auth_package.toml

* Update rules/windows/privilege_escalation_lsa_auth_package.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* final lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 09:00:58 -05:00
Andrew Pease 7c336a0a91 [New Rule] DefenderControl Activity (#769) 
* initial commit

* updated to eql and registry vs. file

* fix updated_date format

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_defendercontrol_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* changed name and added registry value 3 or 4

* remove duplicate

* fixed date format and lint

* updated indices

* removed fp and updated description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-09 10:12:54 -06:00
Samirbous 4d68377d1b [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation (#819) 
* [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation

* replaced file.name with dll.name

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 23:04:02 +01:00
Brent Murphy 64366218c7 adjust risk score (#938) 2021-02-08 13:15:42 -05:00
Brent Murphy 02ee8195ab [New Rule] Creation or Modification of Root Certificate (#927) 
* Create defense_evasion_create_mod_root_certificate.toml

* update description

* Update defense_evasion_create_mod_root_certificate.toml

* spacing

* Update rules/windows/defense_evasion_create_mod_root_certificate.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* removing process names that could lead to fn

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 10:01:59 -05:00
Brent Murphy 236c630c90 [Rule Tuning] Update rules using case sensitive wildcard function (#904) 
* update rules using case sensitive wildcard function

* add appropriate spacing

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update ==

* Apply suggestions from code review

* remove info update index

* Update defense_evasion_deletion_of_bash_command_line_history.toml

* Update persistence_evasion_hidden_local_account_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-04 10:23:32 -05:00
Brent Murphy ffe8e5bfc5 [Rule Tuning] Update file.name to dll.name for Library events (#893) 
* [Rule Tuning] Update file.name to dll.name for Library events

* replace == with :

* updated_date

* removed spacing inconsistencies

* jibs likes spaces

* NOT again jibs
 2021-02-03 11:09:29 -05:00
Brent Murphy fdf9384e4d [Rule Tuning] Execution from Unusual Directory - Command Line (#837) 
* Update execution_from_unusual_path_cmdline.toml

* lint

* Update execution_from_unusual_path_cmdline.toml
 2021-02-03 10:54:19 -05:00
Brent Murphy fd05341e70 [New Rule] Potential Port Monitor or Print Processor Registration Abuse (#901) 
* Create privilege_escalation_port_monitor_registration.toml

* add non SYSTEM user

* convert SYSTEM to SID - use SID to eliminate locale specific system names

* update name

* update to include print processor path

* add reference

* spacing

* add logs-windows.*

* update spacing
 2021-02-01 16:24:49 -05:00
Justin Ibarra a0e86e20d6 [Rule Tuning] Add windows integration index to rules (#923) 2021-01-28 20:53:57 -09:00
Brent Murphy 70ca87138f [New Rule] Execution of COM object via Xwizard (#896) 
* Create execution_com_object_xwizard.toml

* spacing and query update

* add logs-windows.*
 2021-01-28 16:58:19 -05:00
brokensound77 bf32dec5a4 Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main 
# Conflicts:
#	rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
 2021-01-28 10:41:39 -09:00
Brent Murphy d0ceb8cc4e [New Rule] SIP Provider Modification (#891) 
* Create defense_evasion_sip_provider_mod.toml

* add reference
 2021-01-28 09:18:19 -05:00
Samirbous 1ae769a563 [New Rule] Creation of a Hidden Local User Account (#738) 
* [New Rule] Hidden User Local Account Creation

* renamed rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-01-26 08:15:50 +01:00
Brent Murphy 7fdb6b2e80 Create persistence_time_provider_mod.toml (#890) 2021-01-25 14:42:56 -05:00
Brent Murphy ecbb57814a Create credential_access_saved_creds_vaultcmd.toml (#884) 2021-01-25 14:25:35 -05:00
Brent Murphy 4639df022b [New Rule] Modification of WDigest Security Provider (#883) 
* Create credential_access_mod_wdigest_security_provider.toml

* syntax tweaks
 2021-01-25 13:54:36 -05:00
Brent Murphy 8c123785f0 [New Rule] Enumeration Command Spawned via WMIPrvSE (#882) 
* Create execution_enumeration_via_wmiprvse.toml

* alignment
 2021-01-25 13:46:26 -05:00
Brent Murphy 01c3c718f5 [New Rule] Executable File Creation with Multiple Extensions (#881) 
* Create defense_evasion_file_creation_mult_extension.toml

* spacing

* Update rules/windows/defense_evasion_file_creation_mult_extension.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* update query

* alignment

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-01-25 13:40:25 -05:00
Anabella Cristaldi fb92c69797 [New Rule] Clearing Windows Security Logs (#529) 
* [New Rule] Clearing Windows Security Logs

* Fix Date Format Error

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_clearing_windows_security_logs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Add Elastic tag

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update maturity

* Add Elastic to list of authors

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* bump updated_date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-01-11 17:17:20 -07:00
Justin Ibarra c1a0438f45 [Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706) 
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
 2020-12-18 12:46:16 -09:00
Andrew Pease 889828d473 [New Rule] SUNBURST Command and Control Activity Detected (#723) 
* bump package version to 7.12

* Auth to Kibana connector using an existing cookie (#711)

* initial commit

* simplified by any method not to solarwinds.com

* Updates from review

* updated desc and note

* query readability

* update to optimize query to pass unit tests

* optimized

* optimized

* Update command_and_control_sunburst_c2_activity_detected.toml

* Restore package version

* updated rule after rebase

* re-lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-15 14:41:54 -06:00
Samirbous 79a5ca9b78 [New Rule] APT Solarwinds Backdoor Behavior - 5 rules (#722) 
* bump package version to 7.12

* Auth to Kibana connector using an existing cookie (#711)

* [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules

* ruleID

* fixed process names to include both 32 and 64bits

* fixed process names to include both 32 and 64 bits

* deleted unnecessary condition

* adjusted rule to cover cmd and ps

* renamed rule and fixed tactic

* added rule to SW package - Exporting MailBox with Powershell

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added details to FP tag as sug by JLB

* added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg

* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* adjusted desc and FPs

* adjusted alert name as sug by DevK

* Update collection_email_powershell_exchange_mailbox.toml

* Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* updated registry to include symlink

* Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added T1195 as sug by JLB

* added T1195 as sug by JLB

* added T1195 as sug by JLB

* added pwsh as sug by Dan

* added pwsh as sug by Dan

* [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725)

* [New Rule] Outbound Scheduled Tasks Activity via PowerShell

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* fixed - added pwsh to seq_netblock

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/windows/collection_email_powershell_exchange_mailbox.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Restore packages file

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-15 21:33:00 +01:00
Samirbous 3042cbb5d6 [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725) 
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* fixed - added pwsh to seq_netblock

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-15 13:20:28 -07:00
Justin Ibarra a6463b435c [Rule Tuning] Replace line comments with block comments (#710) 2020-12-12 17:11:17 -09:00