security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

2412 Commits

Author SHA1 Message Date
Austin Songer 17032194d8 [Rule Tuning] Suspicious WerFault Child Process (#915) 
* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

Added Article "How to Design Abnormal Child Processes Rules without Telemetry"

* bump updated_date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-10 14:17:57 -05:00
Samirbous 2b7b1a6ab0 [Rule Tuning] Persistence via Update Orchestrator Service Hijack (#939) 
* [Rule Tuning] Persistence via Update Orchestrator Service Hijack

* updated date and added execpath

* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-10 20:11:45 +01:00
Nic cbe1b66b87 [Rule Tuning] Exclude Windows Error Reporting & Printer Driver (#929) 2021-02-10 08:53:04 -09:00
Samirbous 497ddcbb58 [New Rule] Suspicious Python Script Execution via the CommandLine (#852) 
* [New Rule] Suspicious Python Script Execution via the CommandLine

* kql optimz

* Update rules/cross-platform/execution_python_script_in_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/execution_python_script_in_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

* Update rules/cross-platform/execution_python_script_in_cmdline.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* converted to eql

* Update rules/cross-platform/execution_python_script_in_cmdline.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 18:37:03 +01:00
Samirbous f13e9ce0d0 [New Rule] Shell Profile Modification (#878) 
* [New Rule] Shell Profile Modification

* added auditbeat index

* Update persistence_shell_profile_modification.toml

* excluding noisy processes

* Update rules/cross-platform/persistence_shell_profile_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/persistence_shell_profile_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/persistence_shell_profile_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/cross-platform/persistence_shell_profile_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added note short desc

* Update persistence_shell_profile_modification.toml

* added FPs note

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 17:44:15 +01:00
Brent Murphy 9421ccfad7 [New Rule] Unusual File Creation - Alternate Data Stream (#902) 
* Create defense_evasion_unusual_ads_file_creation.toml

* lint

* spacing

* add logs-windows.*

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 09:28:25 -05:00
Brent Murphy f08312ec7f [New Rule] Disabling User Account Control via Registry (#892) 
* Create privilege_escalation_disable_uac_registry.toml

* Apply suggestions from code review

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

* spacing

* add logs-windows.*

* minor syntax change and final lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-10 09:11:45 -05:00
Brent Murphy c5d6cbc2e4 [New Rule] Potential LSA Authentication Package Abuse (#903) 
* Create privilege_escalation_lsa_auth_package.toml

* bump risk and sev

* spacing

* add logs-windows.*

* Update rules/windows/privilege_escalation_lsa_auth_package.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update privilege_escalation_lsa_auth_package.toml

* Update rules/windows/privilege_escalation_lsa_auth_package.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* final lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 09:00:58 -05:00
Samirbous 142a26a010 [New Rule] Suspicious Adobe Acrobat Updates Service Child Process (#886) 
* [New Rule] Suspicious Adobe Acrobat Updates Service Child Process

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 14:08:37 +01:00
Samirbous 58f0bf5998 [Rule Tuning] Attempt to Remove File Quarantine Attribute (#781) 
* [Rule Tuning] Attempt to Remove File Quarantine Attribute

* Update defense_evasion_attempt_del_quarantine_attrib.toml

* adjusted query coverage

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-10 10:45:50 +01:00
Samirbous 7fc5ba1646 [New Rule] Persistence via Cron Tasks (#867) 
* [New Rule] Persistence via Cron Tasks

* Update persistence_cron_jobs_creation_and_runtime.toml

* Update persistence_cron_jobs_creation_and_runtime.toml

* excluded noisy procs and root user

* moved to cross-platform

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* excluding root user

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-10 10:28:22 +01:00
Samirbous 51498f6022 [New Rule] Attempt to Mount an SMB Share via Command-line (#914) 
* [New Rule] Attempt to Mount an SMB Share via Command-line

* fixed tactic_id

* 2021!

* Update lateral_movement_mounting_smb_share.toml

* Update rules/macos/lateral_movement_mounting_smb_share.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/lateral_movement_mounting_smb_share.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/lateral_movement_mounting_smb_share.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* lint rule

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-09 22:08:30 +01:00
Samirbous a50a65a4d7 [Rule Tuning] Execution with Explicit Credentials via Scripting (#910) 2021-02-09 22:06:23 +01:00
Samirbous 7d4bd35bf0 [New Rule] Potential Privileges Escalation via Root Crontab File Modi… (#919) 
* [New Rule] Potential Privileges Escalation via Root Crontab File Modification

* Update privilege_escalation_root_crontab_filemod.toml

* Update rules/macos/privilege_escalation_root_crontab_filemod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_root_crontab_filemod.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* lint rule

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-09 22:04:14 +01:00
Andrew Pease ddddaf37dc [New Rule] Sudo Heap-based Buffer Overflow Vulnerability Attempt (CVE-2021-3156) (#933) 
* initial commit

* adjusted title

* Update rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* updates

* optimized

* added ""'s

* typo around "-s"

* added sudo reference

* changed to threshold

* Update rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml

* re-lint

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-09 15:02:04 -06:00
Samirbous 769ced1001 [New Rule] Privilege Elevation via Sudoers File Modification (#917) 
* [New Rule] Privilege Elevation via Sudoers File Modification

* Update privilege_escalation_echo_nopasswd_sudoers.toml

* group args

* Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* lint rule

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-09 21:58:31 +01:00
Samirbous 424a182383 [New Rule] Dumping Accounts Hashes using Built-In Commands (#908) 
* [New Rule] Dumping Accounts Hashes using Built-In Commands

* fixed dates

* Update credential_access_dumping_hashes_bi_cmds.toml

* Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-09 21:49:51 +01:00
Samirbous 68f834270d [New Rule] Potential Persistence via Atom Init Script Modification (#906) 
* [New Rule] Potential Persistence via Atom Init Script Modification

* Update rules/macos/persistence_via_atom_init_file_modification.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/persistence_via_atom_init_file_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-09 21:47:08 +01:00
Samirbous 5ae9347663 [New Rule] Suspicious Calendar File Modification (#880) 
* [New Rule] Suspicious Calendar File Modification

* description

* index

* excluding FPs by path

* Update persistence_suspicious_calendar_modification.toml

* Update persistence_suspicious_calendar_modification.toml

* Update rules/macos/persistence_suspicious_calendar_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_suspicious_calendar_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-09 21:44:45 +01:00
Andrew Pease 7c336a0a91 [New Rule] DefenderControl Activity (#769) 
* initial commit

* updated to eql and registry vs. file

* fix updated_date format

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_defendercontrol_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* changed name and added registry value 3 or 4

* remove duplicate

* fixed date format and lint

* updated indices

* removed fp and updated description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-09 10:12:54 -06:00
Samirbous aa2dcd58e7 [New Rule] Persistence via DirectoryService Plugin Modification (#858) 
* [New Rule] Persistence via DirectoryService Plugin Modification

* Update persistence_directory_services_plugins_modification.toml

* adjusted description

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_directory_services_plugins_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-09 10:59:35 +01:00
Samirbous cfd42babd1 [New Rule] Enumeration of Users or Groups using Built-In Commands (#848) 
* [New Rule] Enumeration of Users or Groups using Built-In Commands

* Update discovery_users_domain_built_in_commands.toml

* added search option

* excluded some noisy processes

* Update discovery_users_domain_built_in_commands.toml

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/discovery_users_domain_built_in_commands.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-09 10:50:39 +01:00
Samirbous ffaf689778 [New Rule] Persistence via KDE AutoStart Script or Desktop File Modif… (#809) 
* [New Rule] Persistence via KDE AutoStart Script or Desktop File Modification

* Update persistence_kde_autostart_modification.toml

* Update rules/linux/persistence_kde_autostart_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/persistence_kde_autostart_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/linux/persistence_kde_autostart_modification.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* format

* date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-09 10:47:05 +01:00
David French e507898dbd [New Rule] Attempt to Disable Gatekeeper (#841) 2021-02-08 20:25:04 -07:00
Samirbous 519078c87c [New Rule] Authorization Plugin Modification (#856) 
* [New Rule] Authorization Plugin Modification

* Update credential_access_persistence_authorization_plugin_creation.toml

* Update rules/macos/credential_access_persistence_authorization_plugin_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_persistence_authorization_plugin_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* tactic

* filename

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:14:25 +01:00
Samirbous 2092c70f11 [New Rule] Finder Sync Plugin Enabled (#735) 
* [New Rule] Finder Sync Plugin Enabled

* ref url decoded

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* excluded some common finder plugins

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:08:49 +01:00
Samirbous 4d68377d1b [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation (#819) 
* [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation

* replaced file.name with dll.name

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_persistence_phantom_dll.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 23:04:02 +01:00
Samirbous fb32679921 [New Rule] Access to SystemKey via Hexdump (#815) 
* [New Rule] Access to SystemKey via Hexdump

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_systemkey_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_systemkey_dumping.toml

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 23:02:02 +01:00
Samirbous 2e6b353f5e [New Rule] Potential Reverse Shell Activity via Terminal (#821) 
* [New Rule] Potential Reverse Shell Activity via Terminal

* extra reference

* adjusted process.args for coverage resilience

* Update execution_revershell_via_shell_cmd.toml

* Update rules/cross-platform/execution_revershell_via_shell_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/execution_revershell_via_shell_cmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* encoded ref url

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 22:57:55 +01:00
Samirbous 6e2d8830e1 [New Rule] Attempt to Install Root Certificate (#850) 
* [New Rule]  Attempt to Install Root Certificate

* Update rules/macos/defense_evasion_install_root_certificate.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_install_root_certificate.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:49:35 +01:00
Samirbous a08adbf10c [New Rule] Suspicious Launchd Hidden Child Process (#823) 
* [New Rule] Hidden Launcd Child Process

* adjusted name and added extra ref

* severity change

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

* Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 22:43:21 +01:00
Samirbous 55272cc49e [New Rule] EggShell Backdoor Execution (#845) 
* [New Rule] EgShell Backdoor Execution

* Update rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:37:15 +01:00
Samirbous 53db78fccc [New Rule] Lateral Movement via Kerberos using Bifrost Console (#843) 
* [New Rule] Lateral Movement via Kerberos using Bifrost Console

* adjusted kql for perf

* mitre techniques order

* added two args

* Update lateral_movement_credential_access_kerberos_bifrostconsole.toml

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:34:54 +01:00
Samirbous 429a975d14 [New Rule] Keychain Password Retrieval via Commandline (#811) 
* [New Rule] Keychain Password Retrieval via Commandline

* added false positives note

* added internet-pwd option

* extra refurl

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* fixed technique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:31:16 +01:00
Samirbous 18a4e468ce [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension (#807) 
* [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 22:22:16 +01:00
Brent Murphy 64366218c7 adjust risk score (#938) 2021-02-08 13:15:42 -05:00
Samirbous 6ca381763d [New Rule] Execution with Administrator Privileges via Apple Scripting (#777) 
* [New Rule] Execution with Administrator Privileges via Apple Scripting

* Update privilege_escalation_applescript_with_admin_privs.toml

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-08 17:39:22 +01:00
Samirbous ef01430ab0 [Rule Tuning] Compression of Keychain Credentials Directories (#787) 
* [Rule Tuning] Access to Keychain Credentials Directories

* linted

* renmaed rule filename

* added keychain filenames 

added filenames in case of exec from keychain working directory

* extra reference

* Update rules/macos/credential_access_credentials_keychains.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update credential_access_credentials_keychains.toml

* 2021

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2021-02-08 17:31:04 +01:00
Samirbous 79b0a940c5 [New Rule] Attempt to Create a Hidden Local Account (#799) 
* [New Rule] Attempt to Create a Hidden Local Account

* adjusted query for perfmc

* Update persistence_account_creation_hide_at_logon.toml

* Update persistence_account_creation_hide_at_logon.toml

* Update rules/macos/persistence_account_creation_hide_at_logon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_account_creation_hide_at_logon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:24:56 +01:00
Samirbous 55998ff02a [New Rule] Creation Attempt of a Hidden Login Item via Apple Script (#801) 
* [New Rule] Creation Attempt of a Hidden Login Item via Apple Script

* fixed TID

* Update persistence_creation_hidden_login_item_osascript.toml

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_creation_hidden_login_item_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:22:01 +01:00
Samirbous b9a6452001 [New Rule] Attempt to Enable the Root Account (#792) 
* [New Rule] Attempt to Enable the Root Account

* Update rules/macos/persistence_enable_root_account.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 17:10:43 +01:00
Samirbous b73564b541 [Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#783) 2021-02-08 16:54:39 +01:00
Samirbous 055c8ec4f7 [New Rule] Potential MacOS Privacy Controls Bypass via TCCDB Modification (#765) 
* [New Rule] Potential MacOS Privacy Controls Bypass

* added extra ref and arg if exec from TCC current directory

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* renamed

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* adjusted to catch rogue TCCDB PrivEsc Exploit

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* Update defense_evasion_privacy_controls_tcc_database_modification.toml

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added subtechnique

* relinted

* Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-08 16:48:53 +01:00
Samirbous 8b8cbcf8dd [Rule Tuning] Prompt for Credentials with OSASCRIPT (#759) 
* [Rule Tuning] Prompt for Credentials with OSASCRIPT

* Update credential_access_promt_for_pwd_via_osascript.toml

* Update credential_access_promt_for_pwd_via_osascript.toml

* Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* update date

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 16:42:23 +01:00
Samirbous 4cb28adece [New Rule] Sublime Plugin or Application Script Modification (#761) 
* [New Rule] Sublime Plugin or Application Script Modification

* excluded some noisy procs

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added T1554

* fixed tactic

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 16:34:44 +01:00
Samirbous 82fe227030 [New Rule] Sensitive Files Compression (#756) 
* [New Rule] Sensitive Files Compression

* conv to kql

* Update rules/linux/credential_access_collection_sensitive_files.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/credential_access_collection_sensitive_files.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_collection_sensitive_files.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/linux/credential_access_collection_sensitive_files.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-02-08 16:31:00 +01:00
Samirbous 99a4aaff58 [New Rule] Modification of the Dynamic Linker Preload Shared Object (#921) 
* [New Rule] Modification of the Dynamic Linker Preload Shared Object

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 16:11:37 +01:00
Brent Murphy 02ee8195ab [New Rule] Creation or Modification of Root Certificate (#927) 
* Create defense_evasion_create_mod_root_certificate.toml

* update description

* Update defense_evasion_create_mod_root_certificate.toml

* spacing

* Update rules/windows/defense_evasion_create_mod_root_certificate.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* removing process names that could lead to fn

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-02-08 10:01:59 -05:00
Brent Murphy 0b568e5740 [New Rule] Suspicious JAR Child Process (#887) 
* Create execution_suspicious_jar_child_process.toml

* pr review feedback and moved to cross platform

* spacing

* Add FP section
 2021-02-08 09:48:48 -05:00
Samirbous 6a61caa84f [New Rule] Suspicious Browser Child Process (#767) 
* [New Rule] Suspicious Browser Child Process

* auditbeat removed

auditbeat process execution does not log the parent process name.

* added more suspicious childproc

* added perl and php

* Update execution_initial_access_suspicious_browser_childproc.toml

* Update execution_initial_access_suspicious_browser_childproc.toml

* Update execution_initial_access_suspicious_browser_childproc.toml

* excluded noisy stuff

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-02-08 15:06:18 +01:00