security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

946 Commits

Author SHA1 Message Date
Andrew Pease a5cd35f498 AdFind Command Activity (#395) 
* initial commit

* added sub-techniques

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

* Update rules/windows/discovery_adfind_command_activity.toml

* update threat mapping with sub-techniques

* update technique url

* remove ecs_version

* convert rule to eql

* added sub-techniques

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-09 15:01:28 -06:00
Andrew Pease 66506139d9 [New Rule] Detects Mimikatz via Invoke-Mimikatz (#700) 
* initial commit

* lint

* note updates

* convert to eql and moved to dev

* convert to eql and moved to dev
 2020-12-09 14:51:45 -06:00
Samirbous d5eaf5db53 [New Rule] High Number of Process and/or Services Termination (#672) 
* [New Rule] High Number of Process and/or Services Termination

* removed url and fixed ruleid

* fixed tags

* Update rules/windows/defense_evasion_stop_process_service_threshold.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_stop_process_service_threshold.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/windows/defense_evasion_stop_process_service_threshold.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_stop_process_service_threshold.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-09 09:00:19 +01:00
Samirbous 14fe63bb1e [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process (#676) 
* [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process

* replaced path with name for faster comparaison

* added few more cases and refurl

also organized items per anomaly category

* added extra refurl plus few excep

* Update execution_suspicious_ms_office_child_process.toml

* added parenthesis

* excluded an FP
 2020-12-09 08:55:58 +01:00
Justin Ibarra e272800a5d Add ATT&CK sub-technique support to CLI (#614) 
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
 2020-12-08 21:56:55 -09:00
Justin Ibarra 24828ea9cb [New Rule] Conversions of some APT-29 Endgame rules (#702) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 14:13:34 -09:00
Samirbous 94e8fa80bb [Rule Tuning] Suspicious Endpoint Security Parent Process (#509) 
* [Rule Tuning] added FPs and converted to EQL for more flexibilty

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* adjusted process names in scope to security agents

* eql syntax

* ecs_version

* adjusted format

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 22:34:28 +01:00
Samirbous 538aa80bba [New Rule] Process Termination Followed by Deletion (#482) 
* [New Rule] Process Termination Followed by Deletion

* excluded SoftwareDistrib and WinSxS Folders

* added drive letter for better performance

* excluded signed PE

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* added few more extension as suggested by DanStep

* dropped winlogbeat due to pe.codesign

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 22:26:11 +01:00
Samirbous 97fa6c62cd [New Rule] Remote File Download via Powershell (#660) 
* [New Rule] Remote File Download via Powershell

* new line

* eql syntax

* ecs_version

* added google related FPs

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_powershell.toml

Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>

* relint

* ecs_version removed

* replaced path with name to avoid FPs for users temp folder

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>
 2020-12-08 21:28:28 +01:00
Samirbous 9792d967d7 [Rule Tuning] Convert to EQL 5 existing rules (#414) 
* [Rule Tuning] 5 rules

* [Rule Tuning] Converted two IIS CredAccess rules to EQL

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/evasion_rundll32_no_arguments.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* deleted. rule looks incompatible with endpoint

* fixing units testing error

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* desc

* fixed tags duplicate

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_rundll32_no_arguments.toml

* adjusted process args count to 1

adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs).

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 21:07:26 +01:00
Samirbous afb00d7097 [New Rule] Encoded Executable Stored in the Registry (#636) 
* [New Rule] Encoded Executable Stored in the Registry

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 20:51:14 +01:00
Samirbous 19e0de3bed [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573) 
* [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I

* added Execution of Persistent Suspicious Program

reworked a bit and converted Endgame rule with ID d3ffda1a-690f-43e2-89fb-f8d67b99b16b Execution of Persistent Scripts

* increased 1m the maxspan

to cover also slow startup

* fixed regsvr32 pe ofn

* adjust format

* fixed process.args

* added more suspicious COM hijack options

added also URL for reference

* fixed key.path and added ScriptletURL

* Update persistence_runtime_run_key_startup_susp_procs.toml

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* eql syntax

* fixed error

* fixed error

* formating

* formating

* formatting

* replaced process name with path

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version

* ecs_version and optimz and refurl

* Update rules/windows/persistence_appinitdlls_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_services_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* duplicated registry hive instead of leading wildcard

* duplicated registry hive instead of leading wildcard

* Update rules/windows/persistence_appcertdlls_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_appinitdlls_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_run_key_and_startup_broad.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_run_key_and_startup_broad.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* lowered maxspan to avoid FPs

* removed cmd to avoid FPs

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_appcertdlls_registry.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_appinitdlls_registry.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_appinitdlls_registry.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 20:35:18 +01:00
Samirbous 16a49b3278 [New Rule] Windows Script Executing a Process via WMI (#643) 
* [New Rule] Windows Script Executing a Process via WMI

* Update execution_scripts_process_started_via_wmi.toml

* Update execution_scripts_process_started_via_wmi.toml

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* increased maxspan

* eql syntax

* deleted ecs_version

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_scripts_process_started_via_wmi.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 19:23:48 +01:00
Samirbous 5483712805 [New Rule] Lolbas ImageLoad via Windows Update Client (#366) 
* [New Rule] Lolbas ImageLoad via Windows Update Client

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_execution_lolbas_wuauclt.toml

* removed timeline_id

* new eql synthax

* Update defense_evasion_execution_lolbas_wuauclt.toml

* ecs_version

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* removed new lines

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* deleted ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-12-08 18:54:09 +01:00
Samirbous 1c2166b23f [New Rule] - Execution from Unusual Directory (#433) 
* [New Rule] - Execution from Unusual Directory

* adjusted lint

* Update execution_from_unusual_directory.toml

* small tune

* Update execution_from_unusual_directory.toml

* removed timeline_id

* adjusted executable path for better performance

* Update rules/windows/execution_from_unusual_directory.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_directory.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* update date

* Update rules/windows/execution_from_unusual_directory.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* converted to eql for case insensitivity

* ecs_version

* fixed path

* added extra path

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 18:46:56 +01:00
Samirbous e7695f862f [New Rule] Potential Credential Access with LolBas (#620) 
* [New Rule] Potential Credential Access with LolBas

* typo

* added procdump and steam lolbins

* added cisco Jabber lobas

* eql syntax

* ecs_version

* Update rules/windows/credential_access_lolbas_dump_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_lolbas_dump_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* renamed rule and filename as suggested by DanStep

* adjust name and desc

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:56:25 +01:00
Samirbous c0c369181a [New Rule] New Port Forwarding Rule Added (#630) 
* [New Rule] New Port Forwarding Rule Added

* fiexed rule file name

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:32:08 +01:00
Samirbous 35ee818854 [Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable (#502) 
* Converted suspicious execution via psexec to EQL

* adjusted procname

* eql syntax

* ecs_version
 2020-12-08 17:27:16 +01:00
Samirbous 63759a4bf4 [New Rule] Lsass Memory Dump Created (#618) 
* [New Rule] Lsass Memory Dump Created

* added Dumpert and AndrewSpecial HKTL default memory dump filenames

* added sqldumper default dmp filename

* added Out-Minidump PS default dump filename

* ecs_version

* crackmap default lsass memdmp

* Update rules/windows/credential_access_lsass_memdump_file_created.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_memdump_file_created.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:24:51 +01:00
Samirbous feb79c0304 [New Rule] Suspicious Execution via Scheduled Task (#584) 
* [New Rule] Suspicious Execution via Scheduled Task

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* eql syntax

* ecs_version

* added two susp_paths as suggested by Devon

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:20:21 +01:00
Samirbous ccea74d9d8 [New Rule] Incoming Execution via PowerShell Remoting (#624) 
* [New Rule] Incoming Execution via PowerShell Remoting

* eql syntax

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:16:10 +01:00
Samirbous 0479a8f8a3 [New Rule] Image File Execution Options Injection (#550) 
* [New Rule] Image File Execution Options Injection

* Update persistence_evasion_registry_ifeo_injection.toml

* Update persistence_evasion_registry_ifeo_injection.toml

* added FPs section

* eql syntax

* ecs_version

* Update rules/windows/persistence_evasion_registry_ifeo_injection.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:13:00 +01:00
Samirbous 0e78638655 [New Rule] Program Files Directory Masquerading (#581) 
* [New Rule] Program Files Directory Masquerading

* adjusted rule description

* adj procargs to include dlls and other extensions

rundll.exe c:\program files\beacon.dll will be detected for example

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_masquerading_trusted_directory.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:04:31 +01:00
Samirbous 02e9c082df [New Rule] Potential SharpRdp Detected (#527) 
* [New Rule] Potential SharpRdp Detected

* Updated references

* added process execution to the sequence

added process execution to the sequence to capture the malicious process details that was executed

* Linted

* adjusted sequence

* linted

* adjusted process exec details to avoid procs termination

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:00:51 +01:00
Samirbous bd2006d70d [New Rule] WMI Incoming Lateral Movement (#532) 
* [New Rule] WMI Incoming Lateral Movement

* Update rules/windows/lateral_movement_incoming_wmi.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* cirdrmatch returned error on 7.10 replaced by  !=

* Update rules/windows/lateral_movement_incoming_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:57:41 +01:00
Samirbous 16551bbfe7 [New Rule] NTDS or SAM Database File Copied (#622) 
* [New Rule] NTDS or SAM Database File Copied

* fixed description

* eql syntax

* Update rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:55:35 +01:00
Samirbous e707b53a03 [New Rule] Scheduled Jobs AT Protocol Enabled (#609) 
* [New Rule] Scheduled Jobs AT Protocol Enlabled

* fixed typo

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* eql syntax

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:52:17 +01:00
Samirbous 637d06f6c9 [New Rule] Mounting Hidden or WebDav Remote Shares (#444) 
* [New Rule] Mounting Hidden or WebDav Remote Shares

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* removed timeline_id

* adjusted args to avoid leading wildcard

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:50:09 +01:00
Samirbous 0544461b45 [New Rule] Remote Scheduled Task Creation (#598) 
* Remote Scheduled Task Modification

* replaced file modification with registry

replaced file modification with registry to capture the task configured action instead of task name only which is not useful for drill down.

* eql syntax

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* adj port number for ross :)

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:40:48 +01:00
Samirbous 7d7d010509 [New Rule] Persistence via Hidden Run Key ValName (#534) 
* [New Rule] Persistence via Hidden Run Key Detected

* added strings length condition

* added description

* Update persistence_via_hidden_run_key_valuename.toml

* Update rules/windows/persistence_via_hidden_run_key_valuename.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* commented length for stability

no logic impact

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:38:23 +01:00
Samirbous 929277486d [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#499) 
* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack

* performance tuning of proc args

* replaced wildcard with in condition

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-12-08 16:34:36 +01:00
Samirbous efba50d670 [New Rule] Enable RDP Through Registry (#632) 
* [New Rule] Enable RDP Through Registry

* eql syntax

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:32:24 +01:00
Samirbous 6b96b99dc1 [New Rule] Execution from TSClient Mountpoint (#524) 
* [New Rule] Execution from TSClient Mountpoint

* Delete profiles_settings.xml

* Delete modules.xml

* Delete vcs.xml

* Delete windows.iml

* Delete workspace.xml

* eql syntax

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:30:10 +01:00
Samirbous 58174015bd [New Rule] Privilege Escalation via Windir Environment Variable (#638) 
* [New Rule] Privilege Escalation via Windir Environment Variable

* added equiv envar

* eql syntax

* Update rules/windows/privilege_escalation_rogue_windir_environment_var.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:21:42 +01:00
Samirbous fbecc85593 [New Rule] Incoming DCOM Lateral Movement with MMC (#488) 
* [New Rule] Incoming DCOM Lateral Movement with MMC

* adjusted technique ID

subject to updates to all rules with new MITRE IDs

* added localhost filtering

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* port numb

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:19:26 +01:00
Samirbous e038b34344 [New Rule] Connection to Commonly Abused Free SSL Certificate Providers (#478) 
* [New Rule] Connection to Commonly Abused Free SSL Certificate Providers

* linted

* added explorer and notepad paths

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* adjusted desc

* eql syntax

* remove ecs_version

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:16:11 +01:00
Samirbous 49abcd7f4d [New Rule] Execution from unusual directory - CommandLine (#435) 
* [New Rule] Execution from unusual directory - cmdline

* Update execution_from_unusual_path_cmdline.toml

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* linted and added note as sug by JLB

* note

* ecs_version

* fixed path

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:13:52 +01:00
Samirbous 525512fdae [New Rule] Remote File Copy to a Hidden Share (#474) 
* [New Rule] Remote File Copy to a Hidden Share

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:07:18 +01:00
Samirbous 46d6bc69a2 [New Rule] UAC Bypass via Mocking Windir (#411) 
* [New Rule] UAC Bypass via Mocking Windir

* added tags

* changed rule name

* adjusted args for performance

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:55:36 +01:00
Samirbous 3040f6103f [New Rule] Suspicious PrintSpooler Point and Print DLL (#641) 
* [New Rule] Suspicious PrintSpooler Point and Print DLL

* added example of execution data to the ref

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted plus extra ref URL

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:07:26 +01:00
Samirbous 3fda16db71 [Rule Tuning] Potential Modification of Accessibility Binaries (#546) 
* [Rule Tuning] Potential Modification of Accessibility Binaries

* replaced wildcard by in

* indentation more consistent for readability

* eql syntax

* ecs_version
 2020-12-08 12:42:34 +01:00
Samirbous d59b2cb72b [New Rule] Persistence with Startup Folder by Unsigned Process (#651) 
* [New Rule] Persistence with Startup Folder by Unsigned Process

* new line

* eql syntax

* ecs_version

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* dropped winlogbeat index

pe signature check details missing

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:39:44 +01:00
Samirbous 6dc78c4703 [New Rule] Remote File Download via Scripting (#647) 
* [New Rule] Remote File Download via Scripting

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:37:51 +01:00
Samirbous bb93988926 [Rule Tuning] Unusual Network Connection via RunDLL32 (#693) 
* [Rule Tuning] Unusual Network Connection via RunDLL32

* excluding dns traffic

* Update rules/windows/execution_unusual_network_connection_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:01:17 +01:00
Samirbous 3f8a7573f7 [New Rule] Remotely Started Services (#542) 
* [New Rule] Remotely Started Services

* added a common FP msiexec

* Update lateral_movement_remote_services.toml

* eql syntax

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update lateral_movement_remote_services.toml

* port numb

* ecs_version

* added RPC to alert name

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:31:03 +01:00
Samirbous 0f17ad6839 [New Rule] Incoming Execution with WinRM Remote Shell (#616) 
* [New Rule] Incoming Execution with WinRM Remote Shell

* MITRE TID Mapping

removed also unnecessary sequence events

* Update lateral_movement_incoming_winrm_shell_execution.toml

* eql syntax

* ecs_version

* excluding localhost

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:28:37 +01:00
Samirbous b477255abe [New Rule] Potential DNS Tunneling with Nslookup (#522) 
* [New Rule] Potential DNS Tunneling with Nslookup

* adjusted tags

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* ecs_version

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:16:17 +01:00
Samirbous 6c37d5c6b4 [New Rule] Potential ProcessHerpaderping Detected (#418) 
* [New Rule] Suspicious Execution via File Overwrite

* Update defense_evasion_overwrite_followed_by_execution.toml

* Update defense_evasion_overwrite_followed_by_execution.toml

* removed timeline_id

* fixed logic and also added references URL

* tuned logic to exclude potential FPs

not an actual FP, but only observed executable file overwrite by default on Windows is related to SoftwareDistribution, this does not match the sequence (Process Execution followed by Same Process File Overwrite) but added it to exclusion just in case.

* adjusted a bit desc and name

* changed rule file name

* adjusted executable.path for performance

avoiding leading wildcard, users can customize rule if they have different drive letters

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* lint

* ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* deleted ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* changed rule name as per ross sugges

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:08:12 +01:00
Samirbous af85c27142 [New Rule] Peripheral Device Discovery (#446) 
* [New Rule] Peripheral Device Discovery

* removed timeline_id

* adjusted cmdline

* adjusted args for better performance

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:55:19 +01:00
Samirbous 9460618129 [New Rule ] Incoming DCOM Lateral Movement with MSHTA (#459) 
* [New Rule ] Remote Execution via DCOM - MSHTA

* corrected tactic

* removed timeline_id

* added host.id and tightened the netcon clause

* changed rule description and name

* removed parent process names

as condition its optional since process.args is explicit.

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* localhost filtering

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:49:54 +01:00