security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

946 Commits

Author SHA1 Message Date
Samirbous 181bbcb8c9 [New Rule] Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindow (#486) 
* [New Rule] Remote Execution via DCOM - ShellBrowserWindow or ShellWindows

* adjusted rule description and name

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* filtering localhost

* Update lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

* eql syntax

* ecs_version

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted and del ecs_vers

* re-linted

* deleted ecs_version

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:37:31 +01:00
Samirbous 5c1229cc63 [New Rule] Suspicious Service ImagePath Created (#603) 
* [New Rule] Suspicious Service ImagePath Created

* fixed rule name

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed technique name

* Update persistence_suspicious_service_created_registry.toml

* new MITRE mapping not yet supported

* eql syntax

* ecs_version

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:14:54 +01:00
Samirbous 7775515b55 [New Rule] Privilege Escalation via Named Pipe Impersonation (#605) 
* [New Rule] Privilege Escalation via Named Pipe Impersonation

* added a reference url

* fixed PS OFN

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:05:30 +01:00
Samirbous c7d7bd7fdd [New Rule] Suspicious PowerShell Engine ImageLoad (#559) 
* [New Rule] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 16:48:01 +01:00
Samirbous 0eacf484a0 [New Rule] Scheduled Task Created by a Windows Script (#649) 
* [New Rule] Scheduled Task Created via Windows Scripts

* added powershell

* Update persistence_local_scheduled_task_scripting.toml

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* increased maxspan as per Dan sugg

* eql syntax

* eql syntax

* ecs_version

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 23:10:51 +01:00
Samirbous 41dd58b151 [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack (#655) 
* [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack

* ecs_version
 2020-12-03 22:59:46 +01:00
Samirbous 11041e0012 [New Rule] UAC Bypass via privileged IFileOperation (#416) 
* [New Rule] Bypass UAC via privileged IFileOp

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* adjusted file.path for performance

avoiding leading wildcard, rule can be customized by users if default drive letter is different

* new EQL syntax

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* ecs_version

* removed new lines

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-03 20:43:57 +01:00
Samirbous 54b926a7bf [Rule Tuning] Process Potentially Masquerading as WerFault (#653) 
* [Rule Tuning] Process Potentially Masquerading as WerFault

* Update defense_evasion_masquerading_werfault.toml

* converted from kql to eql sequence for more precision

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* relinted

* eql syntax

* ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 20:26:37 +01:00
Justin Ibarra 4b6ad77338 [Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667) 2020-12-03 01:00:24 -09:00
Samirbous 3ac232085b [New Rule] Remote Desktop Enabled in Windows Firewall (#368) 
* [New Rule] Inbound RDP Enabled

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* changed tags

* expanded args condition

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* adjusted process args

* renamed rule and added equivalent process args

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* fixing unit test errors

* original file name

* ecs_version

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-02 21:27:18 +01:00
Samirbous 30cded7a2d [New Rule] Lateral Movement via Startup Folder (#663) 
* [New Rule] Lateral Movement via Startup Folder

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:22:43 +01:00
Samirbous 3deff0eeb8 [New Rule] Remote Execution via File Shares (#455) 
* [New Rule] Remote Execution via File Shares

* removed timeline_id

* fixed tags

* added extension to reduce response time

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:20:13 +01:00
Samirbous e03f775789 [New Rule] Lateral Executable Transfer Over SMB (#517) 
* [New Rule] Lateral Executable Transfer Over SMB

* adjusted maxspan, address and extensions

* changed rule name

* Update rules/windows/lateral_movement_executable_tool_transfer_smb.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* eql syntax

* ecs_version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-02 21:03:31 +01:00
Samirbous e6645a8be9 [Rule Tuning] Clearing or Disabling Windows Event Logs (#393) 
* [Rule Tuning] Clearing or Disabling Windows Event Logs

* added tags

* Update defense_evasion_clearing_windows_event_logs.toml

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* updated the rule update date

* linted

* fixing unit test error

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-12-02 20:35:35 +01:00
Samirbous db2d17ccb2 [New Rule] Credential Acquisition via Registry Hive Dumping (#607) 
* [New Rule] Credential Acquisition via Registry Hive Dumping

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed MITRE technique details

* fixed TID

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update credential_access_dump_registry_hives.toml

* as per Justin suggestion case insensitivity is not issue 7.11

* Update credential_access_dump_registry_hives.toml

* new MITRE mapping errors

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_dump_registry_hives.toml

* added :

* changed process.args:(a, b) to process.args: a or process.args:b

while testing on 7.10 process.args : (a , b) generate an error

* adjusted query as per JLB and RW suggestion

* eql syntax

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 20:31:22 +01:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Samirbous dc9c63d043 [New Rule] Unusual Svchost ChildProc - ChildLess Services (#370) 
* [New Rule] Unusual Svchost ChildProc - ChildLess Services

* changed tags

* changed rule filename

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-01 20:30:03 +01:00
Samirbous 0fe12d2528 [New Rule] Suspicious Explorer Child Process (#430) 
* [New Rule] Suspicious Explorer Child Process

* Update execution_via_explorer_suspicious_child_parent_args.toml

* removed timeline_id

* fixed typo

* adjusted args for better performance

* Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-01 00:00:40 +01:00
Ross Wolf 710f4bda10 Add file.extension to SxS .local rule 2020-11-30 15:26:28 -07:00
Samirbous 2465a70dac [New Rule] Execution via local SxS Shared Module (#424) 
* [New Rule] Execution via local SxS Shared Module

* Update execution_shared_modules_local_sxs_dll.toml

* Update execution_shared_modules_local_sxs_dll.toml

* added tags

* added drive letter for less performance impact

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-11-30 23:24:44 +01:00
Samirbous 7138b01001 [New Rule] Potential Command and Control via IEXPLORE (#645) 
* [New Rule] Potential Command and Control via IEXPLORE

* Update command_and_control_iexplore_via_com.toml

* Update command_and_control_iexplore_via_com.toml

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-30 21:13:30 +01:00
Samirbous 14ef24e9dd [New Rule] Command shell activity started via rundll32 (#391) 
* [New Rule] Command shell activity started via rundll32

* added tag

* adjusted parent args for performance

avoid leading wildcard

* filtered a common FP

* Update execution_command_shell_via_rundll32.toml

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-11-30 21:02:57 +01:00
Samirbous 52183d78a2 [New Rule] Persistence via Microsoft Outlook VBA (#611) 
* [New Rule] Persistence via Microsoft Outlook VBA

* added FPs note and deleted excluded outlook.exe

* Update rules/windows/persistence_ms_outlook_vba_template.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-30 20:57:36 +01:00
Samirbous ba0cc7a055 [New Rule] UAC Bypass via Elevated COM Interface - IEditionUpgradeManager (#422) 
* [New Rule] UAC Bypass via Elevated COM Interface - ClipUp

* linted

* Update privilege_escalation_uac_bypass_com_clipup.toml

* added tags

* changed rule name

* adjusted rule for more performance

* Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-30 20:26:07 +01:00
Justin Ibarra d0ba03230a [Rule Tuning] Unusual File Modification by dns.exe (#472) 2020-11-30 08:22:27 -09:00
dstepanic17 625b0ec771 [New-Rule] Suspicious WMI Image Load from MS Office (#551) 
* image-load-wmi-ms-office

* Update rules/windows/execution_suspicious_image_load_wmi_ms_office.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Resolved linting after suggestion

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-20 08:34:02 -06:00
dstepanic17 517ee0dc03 image-load-sched-task-ms-office (#566) 2020-11-20 07:28:16 -06:00
Samirbous 1ebdcc8248 [New Rule] Suspicious RDP ActiveX Client Loaded (#588) 
* [New Rule] Suspicious RDP ActiveX Client Loaded

* added exec from mounted device and UNC

* removed unecessary exclusion

* Update rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-11-20 10:43:12 +01:00
Samirbous 9d2a74ea1b [New Rule] Connection to Commonly Abused Web Services (#476) 
* [New Rule] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml

* Update rules/windows/command_and_control_common_webservices.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* added notabug.org as suggested by Daniel

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-11-18 23:38:09 +01:00
Samirbous 161ea402fe [New Rule] Kerberos Traffic from Unusual Process (#448) 
* [New Rule] Kerberos Traffic from Unusual Process

* removed timeline_id

* adjusted args for better perf

* added potential rare FPs

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-18 22:07:49 +01:00
Samirbous 3e7be55a24 [New Rule] UAC Bypass via Windows Firewall Snap-in Hijack (#376) 
* [New Rule] Bypass UAC via Windows Firewall Snap-in Hijack

* Delete workspace.xml

* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-18 20:36:59 +01:00
Samirbous 75ed0f8f92 [New Rule] UAC Bypass via ICMLuaUtil Elevated COM interface (#383) 
* [New Rule] Bypass UAC via ICMLuaUtil Elevated COM interface

* added tags

* Update privilege_escalation_uac_bypass_com_interface_icmluautil.toml

* adjusted args to avoid leading wildcard

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* replaced wildcard with In

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-11-18 20:34:10 +01:00
Samirbous 14270a5614 [New Rule] Persistence via MS Office Addins (#381) 
* [New Rule] Persistence via MS Office Addins

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* fixed extension and relaxed file.path

* updated references

* changed leading wildcard for perf

* Update rules/windows/persistence_ms_office_addins_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_ms_office_addins_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-18 20:27:01 +01:00
Samirbous 4547ee3750 [New Rule] Suspicious Execution - Short Program Name (#536) 
* [New Rule] Suspicious Execution - Short Program Name

* Update rules/windows/execution_suspicious_short_program_name.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:27:37 +01:00
Samirbous 4741f70fad [New Rule] Potential Remote Desktop Tunneling Detected (#374) 
* [New Rule] Remote Desktop Tunneling using SSH Plink Utility

* Update lateral_movement_rdp_tunnel_plink.toml

* Update lateral_movement_rdp_tunnel_plink.toml

* changed tags

* expanded condition to more than plink

there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R.

* Update lateral_movement_rdp_tunnel_plink.toml

* more args options

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:25:48 +01:00
Samirbous 14e36c2693 [New Rule] Security Software Discovery using WMIC (#387) 
* [New Rule] Security Software Discovery using WMIC

* added tags

* adjusted args for performance

avoiding leading wildcard in process args

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:23:28 +01:00
Samirbous ba4b8bc3e3 [New Rule] UAC Bypass via Elevated COM IEinstall (#450) 
* [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer

* Linted

* Update privilege_escalation_uac_bypass_com_ieinstal.toml

* adjusted executable path for better performance

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:21:15 +01:00
Samirbous 3af915ff49 [New Rule] Suspicious Cmd Execution via WMI (#389) 
* [New Rule] Suspicious Cmd Execution via WMI

* Update lateral_movement_suspicious_cmd_wmi.toml

* Update lateral_movement_suspicious_cmd_wmi.toml

* expanded process args for more coverage

* Update rules/windows/lateral_movement_suspicious_cmd_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-17 21:19:30 +01:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Brent Murphy 9838d3d2f7 [Rule Tuning] Remove duplicate rules after EQL conversion (#436) 
* [Rule Tuning] Remove duplicate rules after EQL conversion

* Update defense_evasion_rundll32_sequence.toml

* swap msxsl rules
 2020-10-30 15:49:28 -04:00
Justin Ibarra a575cf9ff3 [Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431) 2020-10-29 11:06:24 -08:00
Justin Ibarra 0d3c35886c Remove connection type from endpoint network rules (#426) 2020-10-28 12:35:34 -08:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Brent Murphy 2e422f7159 [Rule Tuning] Minor Rule Tweaks for 7.10 (#400) 
* Tweak Rules for 7.10

* Add endpoint index for packetbeat rules

* update unit test to account for Network tag as well

* update modified date, add endpoint tag

* use Host instead of Endpoint

* Update packaging.py

* add v back to changelog url

* Add "tag" comment to get_markdown_rule_info

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-10-22 09:07:04 -04:00
Justin Ibarra 0a992d716a [Rule Tuning] Update EQL rules for 7.10 (#399) 
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
 2020-10-21 12:35:18 -08:00
Justin Ibarra fd2d36573d Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364) 2020-10-20 15:22:02 -08:00
Justin Ibarra d3226c72c9 Add test for tactic in rule filename (#398) 2020-10-20 14:48:33 -08:00
Kevin Logan f34c96f4dc [Rule Tuning][SECURITY_SOLUTION] rename Endpoint security (#355) 2020-10-05 09:55:15 -08:00