sigma-rules

Author	SHA1	Message	Date
Samirbous	732770e855	[New Rule] Potential OpenSSH Backdoor Logging Activity (#749 ) * [New Rule] Known SSH Backdoor Logging File * updated query to common patterns * updated rule name * relinted * added extra path * renamed * adjusted some filepaths * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added kobalos OpenSSH credential stealer added kobalos SSH credential stealer default logs file as reported by ESET this week https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf * relinted * adjusted MITRE technique * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-05 21:27:15 +01:00
Samirbous	3fde3930f7	[New Rule] Modification of Standard Authentication Module or Configuration (#745 ) * [New Rule] Modification of Unix Standard Authentication Module * extra ref and added file creation event type * extra ref url * Update persistence_modify_authentication_module.toml * added pam.d conf files changes too * adjusted tactics and techniques * Update persistence_modify_authentication_module.toml * Update persistence_modify_authentication_module.toml * changed from linux to cross platfm * Update persistence_credential_access_modify_auth_module_or_config.toml * adjusted query * converted to kql and excluded FPs * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update persistence_credential_access_modify_auth_module_or_config.toml * Update persistence_credential_access_modify_auth_module_or_config.toml * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-05 21:23:58 +01:00
Samirbous	4900c9a018	[New Rule] Potential Office Sandbox Evasion via ZIP File (#834 ) * [New Rule] Potential Office Sandbox Evasion via LaunchAgent ZIP File * adjusted query to account for other autostart paths * adjusted query and description * Update defense_evasion_sandboxed_office_app_suspicious_zip_file.toml * Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * 2021! Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-04 16:47:58 +01:00
Samirbous	a8931a927c	[New Rule] Safari Settings Modification using Defaults Command (#861 ) * [New Rule] Safari Settings Modification using Defaults Command * exclude some unsensitive changes * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * added subtechnique Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-02-04 16:38:56 +01:00
Samirbous	6e59996fd0	[New Rule] Access to Browsers Credential Files (#789 ) * [New Rule] Access to Browsers Credential Files * removed Thunderbird from list out of browsers context, may go into a different rule with other mail clients * adjusted Safari cookies path to include for folder access, file access is covered by Cookies.binarycookies check * excluded a noisy arg * Update credential_access_access_to_browser_credentials_procargs.toml * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-04 16:34:49 +01:00
Samirbous	bec5211814	[Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod (#875 ) * [Rule Tuning] Setuid Bit Set via chmod and Setgid Bit Set via chmod * Update privilege_escalation_setuid_setgid_bit_set_via_chmod.toml * relinted	2021-02-04 16:29:53 +01:00
Brent Murphy	236c630c90	[Rule Tuning] Update rules using case sensitive wildcard function (#904 ) * update rules using case sensitive wildcard function * add appropriate spacing * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update == * Apply suggestions from code review * remove info update index * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update persistence_evasion_hidden_local_account_creation.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-04 10:23:32 -05:00
Samirbous	37ccdad0ee	[New Rule] Virtual Private Network Connection Attempt (#912 ) * [New Rule] Virtual Private Network Connection Attempt * fixed tactic_id * Update lateral_movement_vpn_connection_attempt.toml * Update rules/macos/lateral_movement_vpn_connection_attempt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 18:18:09 +01:00
Samirbous	8878104f54	[New Rule] Potential Persistence via Periodic Tasks (#898 ) * [New Rule] Potential Persistence via Periodic Tasks * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 18:15:25 +01:00
Samirbous	d733971e99	[New Rule] SoftwareUpdate Preferences Modification (#869 ) * [New Rule] SoftwareUpdate Preferences Modification * Update defense_evasion_apple_softupdates_modification.toml * Update rules/macos/defense_evasion_apple_softupdates_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_apple_softupdates_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * added subtechnique Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 18:12:37 +01:00
Samirbous	4a5085ee54	[Rule Tuning] Sudoers File Modification (#873 ) * [Rule Tuning] Sudoers File Modification * 2021! * Update rules/cross-platform/privilege_escalation_sudoers_file_mod.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 17:57:40 +01:00
Samirbous	b1a8292462	[New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy (#830 ) * [New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy * rename rule * exclude FPs * Update defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml * Update rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 17:54:15 +01:00
Brent Murphy	ffe8e5bfc5	[Rule Tuning] Update file.name to dll.name for Library events (#893 ) * [Rule Tuning] Update file.name to dll.name for Library events * replace == with : * updated_date * removed spacing inconsistencies * jibs likes spaces * NOT again jibs	2021-02-03 11:09:29 -05:00
Brent Murphy	fdf9384e4d	[Rule Tuning] Execution from Unusual Directory - Command Line (#837 ) * Update execution_from_unusual_path_cmdline.toml * lint * Update execution_from_unusual_path_cmdline.toml	2021-02-03 10:54:19 -05:00
Brent Murphy	fd05341e70	[New Rule] Potential Port Monitor or Print Processor Registration Abuse (#901 ) * Create privilege_escalation_port_monitor_registration.toml * add non SYSTEM user * convert SYSTEM to SID - use SID to eliminate locale specific system names * update name * update to include print processor path * add reference * spacing * add logs-windows.* * update spacing	2021-02-01 16:24:49 -05:00
Samirbous	326bebdebe	[New Rule] Execution via Electron Child Process Node.js Module (#817 ) * [New Rule] Execution via Electron ChildProc Node.js Module * relinted * fixed TID and adjusted KQL for perf * fixed kql * Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-29 19:06:49 +01:00
Samirbous	ad514eaeab	[New Rule] Attempt to Add an Account to the Admin Group (#803 ) * [New Rule] Attempt to Add an Account to the Admin Group * adjusted query for perf * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-29 19:03:17 +01:00
Samirbous	cd3f72cf15	[New Rule] Creation of a Hidden Launch Agent or Daemon (#797 ) * [New Rule] Creation of a Hidden Launch Agent or Daemon * updated TID * Update persistence_evasion_hidden_launch_agent_deamon_creation.toml * Update persistence_evasion_hidden_launch_agent_deamon_creation.toml * Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * sub-technique stuff * relint Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-29 19:01:15 +01:00
Samirbous	a5ded6513c	[New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805 ) * [New Rule] Browser Hijack via Setting the Web Proxy to Localhost * fixed dates * adjusted query to include traffic redirection * relinted * added extra arg * reduced severity * Update rules/macos/credential_access_mitm_localhost_webproxy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/credential_access_mitm_localhost_webproxy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/credential_access_mitm_localhost_webproxy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_mitm_localhost_webproxy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-29 18:58:14 +01:00
Samirbous	acff6a3a5d	[New Rule] 2 Rules for Persistence via Emond (#832 ) * [New Rule] 2 Rules for Persistence via Emond * removed auditbeat index process.parent.name not captured * Update persistence_emond_rules_process_execution.toml * Update rules/macos/persistence_emond_rules_file_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_emond_rules_process_execution.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_emond_rules_file_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_emond_rules_process_execution.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relint * 2021 * Update persistence_emond_rules_process_execution.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-29 09:16:27 +01:00
Justin Ibarra	a0e86e20d6	[Rule Tuning] Add windows integration index to rules (#923 )	2021-01-28 20:53:57 -09:00
Brent Murphy	70ca87138f	[New Rule] Execution of COM object via Xwizard (#896 ) * Create execution_com_object_xwizard.toml * spacing and query update * add logs-windows.*	2021-01-28 16:58:19 -05:00
brokensound77	ec4c9e77a2	Update revoked technique	2021-01-28 11:03:17 -09:00
brokensound77	bf32dec5a4	Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main # Conflicts: # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml	2021-01-28 10:41:39 -09:00
Samirbous	1d77932434	[New Rule] Suspicious MacOS MS Office Child Process (#779 ) * [New Rule] Suspicious MacOS MS Office Child Process * extra bin and ref * Update execution_suspicious_mac_ms_office_child_process.toml * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:55:31 +01:00
Samirbous	c18c5a493a	[New Rule] Dumping of Keychain Content via Security Command (#785 ) * [New Rule] Dumping of Keychain Content via Security Command * converted to eql * added sub-technique * 2021 * Update rules/macos/credential_access_dumping_keychain_security.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:50:41 +01:00
Samirbous	3fc4aaec0f	[New Rule] Modification of OpenSSH Binaries (#747 ) * [New Rule] Modification of SSH Binaries * Update persistence_credential_access_modify_ssh_binaries.toml * exclude unrelated auditbeat FP events * updated TIDs and Tactics * fix order of TIDs and Tactics * relinted * added libkeyutils.so used by Ebury Backdoor loaded by all OpenSSH processes * renamed * conv to kql and added one FP * Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/persistence_credential_access_modify_ssh_binaries.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:46:30 +01:00
Brent Murphy	d0ceb8cc4e	[New Rule] SIP Provider Modification (#891 ) * Create defense_evasion_sip_provider_mod.toml * add reference	2021-01-28 09:18:19 -05:00
Samirbous	485c6214fa	[New Rule] Environment Variable Modification using Launchctl (#865 ) * [New Rule] Environment Variable Modification using Launchctl * excluding some FPs * Update defense_evasion_modify_environment_launchctl.toml * Update defense_evasion_modify_environment_launchctl.toml * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-01-26 21:41:30 +01:00
Samirbous	6029783721	[New Rule] Security Software Discovery using Grep (#743 ) * [New Rule] Security Software Discovery using Grep * fixed index * Update discovery_security_software_grep.toml * Update discovery_security_software_grep.toml * conv to kql and added few AVs * added more AV procs * Update rules/macos/discovery_security_software_grep.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * moved to cross-platform * Update discovery_security_software_grep.toml * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 19:57:26 +01:00
Samirbous	b4cb953aa4	[New Rule] Script Execution via Automator Workflows (#763 ) * [New Rule] Script Execution via Automator Workflows * Update execution_script_via_automator_workflows.toml * Update rules/macos/execution_script_via_automator_workflows.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/macos/execution_script_via_automator_workflows.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-26 09:07:39 +01:00
Samirbous	5d9c031c8b	[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775 ) * [New Rule] TCC Bypass via Mounted APFS Snapshot Access * Update defense_evasion_tcc_bypass_mounted_apfs_access.toml * conv to kql * Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-26 08:50:28 +01:00
Samirbous	ebf365693e	[Rule Tuning] Deletion of Bash Command Line History (#752 ) * [Rule Tuning] Deletion of Bash Command Line History * Update defense_evasion_deletion_of_bash_command_line_history.toml * Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-01-26 08:48:06 +01:00
Samirbous	440a7fbdee	[New Rule] SSH Authorized Keys File Modification (#754 ) * [New Rule] SSH Authorized Keys File Modification * excluded some noisy procs * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update persistence_ssh_authorized_keys_modification.toml * Update rules/cross-platform/persistence_ssh_authorized_keys_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 08:45:38 +01:00
Samirbous	dc53fc1f04	[New Rule] Persistence via Docker Shortcut Modification (#733 ) * [New Rule] Persistence via Docker Shortcut Modification * ref url decoded * added exclusions * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * exclude some noisy procs and conv to kql Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:38:38 +01:00
Samirbous	6883ea0aa6	[New Rule] Potential Persistence via Login Hook (#900 ) * [New Rule] Potential Persistence via Login Hook * Update persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 08:35:16 +01:00
Samirbous	dd2f655367	[New Rule] Potential Cookies Theft via Browser Debugging (#741 ) * [New Rule] Potential Cookies Theft via Browser Debugging * Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added auditbeat * fixed error * excluded a common FP * added MSEdge Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:21:45 +01:00
Samirbous	1ae769a563	[New Rule] Creation of a Hidden Local User Account (#738 ) * [New Rule] Hidden User Local Account Creation * renamed rule Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:15:50 +01:00
Brent Murphy	7fdb6b2e80	Create persistence_time_provider_mod.toml (#890 )	2021-01-25 14:42:56 -05:00
Brent Murphy	ecbb57814a	Create credential_access_saved_creds_vaultcmd.toml (#884 )	2021-01-25 14:25:35 -05:00
Brent Murphy	4639df022b	[New Rule] Modification of WDigest Security Provider (#883 ) * Create credential_access_mod_wdigest_security_provider.toml * syntax tweaks	2021-01-25 13:54:36 -05:00
Brent Murphy	8c123785f0	[New Rule] Enumeration Command Spawned via WMIPrvSE (#882 ) * Create execution_enumeration_via_wmiprvse.toml * alignment	2021-01-25 13:46:26 -05:00
Brent Murphy	01c3c718f5	[New Rule] Executable File Creation with Multiple Extensions (#881 ) * Create defense_evasion_file_creation_mult_extension.toml * spacing * Update rules/windows/defense_evasion_file_creation_mult_extension.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * update query * alignment Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2021-01-25 13:40:25 -05:00
Brent Murphy	aa409111b8	[New Rule] Azure Active Directory High Risk Sign-in (#790 ) * [New Rule] Azure Active Directory High Risk Sign-in * Update initial_access_azure_active_directory_high_risk_signin.toml	2021-01-25 13:27:06 -05:00
Anabella Cristaldi	fb92c69797	[New Rule] Clearing Windows Security Logs (#529 ) * [New Rule] Clearing Windows Security Logs * Fix Date Format Error * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_clearing_windows_security_logs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Add Elastic tag Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update maturity * Add Elastic to list of authors Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-11 17:17:20 -07:00
Ross Wolf	a0ae05c78e	Fix spelling of Continuous Monitoring (#795 ) * Fix spelling of Continuous Monitoring * Update the updated_at date * Happy new year	2021-01-04 15:05:34 -07:00
Justin Ibarra	c1a0438f45	[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) * replaced/removed all revoked/deprecated techniques * tests will fail on revoked (changed) techniques * tests will fail on deprecated techniques * tests will fail when techniques are mapped to an invalid tactic	2020-12-18 12:46:16 -09:00
Brent Murphy	627610401c	[Rule Tuning] Update rules for new Fleet integrations (#729 ) * update azure indicies * remove . in index to match prior cloud rules * update o365 indicies * add event.dataset:google_workspace.admin to existing google workspace rules * gcp syntax * add gcp index * update gcp index * update index patterns for google workspace rules * update gcp index2 * update updated_date * update event outcome for azure Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-18 12:23:12 -05:00
Andrew Pease	889828d473	[New Rule] SUNBURST Command and Control Activity Detected (#723 ) * bump package version to 7.12 * Auth to Kibana connector using an existing cookie (#711) * initial commit * simplified by any method not to solarwinds.com * Updates from review * updated desc and note * query readability * update to optimize query to pass unit tests * optimized * optimized * Update command_and_control_sunburst_c2_activity_detected.toml * Restore package version * updated rule after rebase * re-lint Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <bmurphy@endgame.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-15 14:41:54 -06:00
Samirbous	79a5ca9b78	[New Rule] APT Solarwinds Backdoor Behavior - 5 rules (#722 ) * bump package version to 7.12 * Auth to Kibana connector using an existing cookie (#711) * [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules * ruleID * fixed process names to include both 32 and 64bits * fixed process names to include both 32 and 64 bits * deleted unnecessary condition * adjusted rule to cover cmd and ps * renamed rule and fixed tactic * added rule to SW package - Exporting MailBox with Powershell * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added details to FP tag as sug by JLB * added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg * Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted * adjusted desc and FPs * adjusted alert name as sug by DevK * Update collection_email_powershell_exchange_mailbox.toml * Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updated registry to include symlink * Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added T1195 as sug by JLB * added T1195 as sug by JLB * added T1195 as sug by JLB * added pwsh as sug by Dan * added pwsh as sug by Dan * [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725) * [New Rule] Outbound Scheduled Tasks Activity via PowerShell * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * fixed - added pwsh to seq_netblock * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/collection_email_powershell_exchange_mailbox.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Restore packages file Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-12-15 21:33:00 +01:00

... 40 41 42 43 44 ...

2412 Commits