security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

2412 Commits

Author SHA1 Message Date
Samirbous 49abcd7f4d [New Rule] Execution from unusual directory - CommandLine (#435) 
* [New Rule] Execution from unusual directory - cmdline

* Update execution_from_unusual_path_cmdline.toml

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* linted and added note as sug by JLB

* note

* ecs_version

* fixed path

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:13:52 +01:00
Samirbous 525512fdae [New Rule] Remote File Copy to a Hidden Share (#474) 
* [New Rule] Remote File Copy to a Hidden Share

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:07:18 +01:00
Samirbous 725f509700 [New Rule] LaunchDaemon Creation or Modification followed by Loading (#698) 
* [New Rule] LaunchDaemon Creation or Modification followed by Loading

* fix technique

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 16:04:34 +01:00
Samirbous 46d6bc69a2 [New Rule] UAC Bypass via Mocking Windir (#411) 
* [New Rule] UAC Bypass via Mocking Windir

* added tags

* changed rule name

* adjusted args for performance

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:55:36 +01:00
Samirbous 3040f6103f [New Rule] Suspicious PrintSpooler Point and Print DLL (#641) 
* [New Rule] Suspicious PrintSpooler Point and Print DLL

* added example of execution data to the ref

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted plus extra ref URL

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:07:26 +01:00
Samirbous 3fda16db71 [Rule Tuning] Potential Modification of Accessibility Binaries (#546) 
* [Rule Tuning] Potential Modification of Accessibility Binaries

* replaced wildcard by in

* indentation more consistent for readability

* eql syntax

* ecs_version
 2020-12-08 12:42:34 +01:00
Samirbous d59b2cb72b [New Rule] Persistence with Startup Folder by Unsigned Process (#651) 
* [New Rule] Persistence with Startup Folder by Unsigned Process

* new line

* eql syntax

* ecs_version

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* dropped winlogbeat index

pe signature check details missing

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:39:44 +01:00
Samirbous 6dc78c4703 [New Rule] Remote File Download via Scripting (#647) 
* [New Rule] Remote File Download via Scripting

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:37:51 +01:00
Samirbous c76439923b [New Rule] Attempt to Remove File Quarantine Attribute (#674) 
* [New Rule] Attempt to Remove File Quarantine Attribute

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:27:03 +01:00
Samirbous d1dc7b413e [New Rule] Apple Script Execution followed by Network Connection (#681) 
* [New Rule] Apple Script Execution followed by Network Connection

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* excluding LAN and loopback addresses

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:25:03 +01:00
Samirbous aeb061514c [New Rule] Persistence via Login and/or Logout Hooks (#683) 
* [New Rule] Persistence via Login and/or Logout Hooks

* fixed tags

* fixed tags

* added logouthook and extra refurl

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:09:36 +01:00
Samirbous bb93988926 [Rule Tuning] Unusual Network Connection via RunDLL32 (#693) 
* [Rule Tuning] Unusual Network Connection via RunDLL32

* excluding dns traffic

* Update rules/windows/execution_unusual_network_connection_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:01:17 +01:00
Samirbous 844a56b125 [New Rule] Execution with Explicit Credentials via Apple Scripting (#689) 
* [New Rule] Execution with Explicit Credentials via Apple Scripting

* fixing tactic

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added ref

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:57:52 +01:00
Samirbous f756619478 [New Rule] Persistence via Folder Action Script (#685) 
* [New Rule] Persistence via Folder Action Script

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:51:52 +01:00
Samirbous b8243f3739 [New Rule] Shell Execution via Apple Scripting (#687) 
* [New Rule] Shell Execution via Apple Scripting

* fixed description and relinted

* added extra ref url

* references url

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:45:39 +01:00
Samirbous 3f8a7573f7 [New Rule] Remotely Started Services (#542) 
* [New Rule] Remotely Started Services

* added a common FP msiexec

* Update lateral_movement_remote_services.toml

* eql syntax

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update lateral_movement_remote_services.toml

* port numb

* ecs_version

* added RPC to alert name

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:31:03 +01:00
Samirbous 0f17ad6839 [New Rule] Incoming Execution with WinRM Remote Shell (#616) 
* [New Rule] Incoming Execution with WinRM Remote Shell

* MITRE TID Mapping

removed also unnecessary sequence events

* Update lateral_movement_incoming_winrm_shell_execution.toml

* eql syntax

* ecs_version

* excluding localhost

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:28:37 +01:00
Samirbous b477255abe [New Rule] Potential DNS Tunneling with Nslookup (#522) 
* [New Rule] Potential DNS Tunneling with Nslookup

* adjusted tags

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* ecs_version

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:16:17 +01:00
Samirbous 6c37d5c6b4 [New Rule] Potential ProcessHerpaderping Detected (#418) 
* [New Rule] Suspicious Execution via File Overwrite

* Update defense_evasion_overwrite_followed_by_execution.toml

* Update defense_evasion_overwrite_followed_by_execution.toml

* removed timeline_id

* fixed logic and also added references URL

* tuned logic to exclude potential FPs

not an actual FP, but only observed executable file overwrite by default on Windows is related to SoftwareDistribution, this does not match the sequence (Process Execution followed by Same Process File Overwrite) but added it to exclusion just in case.

* adjusted a bit desc and name

* changed rule file name

* adjusted executable.path for performance

avoiding leading wildcard, users can customize rule if they have different drive letters

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* lint

* ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* deleted ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* changed rule name as per ross sugges

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:08:12 +01:00
Samirbous af85c27142 [New Rule] Peripheral Device Discovery (#446) 
* [New Rule] Peripheral Device Discovery

* removed timeline_id

* adjusted cmdline

* adjusted args for better performance

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:55:19 +01:00
Samirbous 9460618129 [New Rule ] Incoming DCOM Lateral Movement with MSHTA (#459) 
* [New Rule ] Remote Execution via DCOM - MSHTA

* corrected tactic

* removed timeline_id

* added host.id and tightened the netcon clause

* changed rule description and name

* removed parent process names

as condition its optional since process.args is explicit.

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* localhost filtering

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:49:54 +01:00
Brent Murphy 86b1a56c1b [New Rule] Attempts to Brute Force a Microsoft 365 User Account (#662) 
* [New Rule] Attempts to Brute Force an O365 User Account

* Update credential_access_o365_brute_force_user_account_attempt.toml

* rebrand to m365

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* update description
 2020-12-04 12:40:09 -05:00
Samirbous 181bbcb8c9 [New Rule] Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindow (#486) 
* [New Rule] Remote Execution via DCOM - ShellBrowserWindow or ShellWindows

* adjusted rule description and name

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* filtering localhost

* Update lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

* eql syntax

* ecs_version

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted and del ecs_vers

* re-linted

* deleted ecs_version

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:37:31 +01:00
Samirbous da949b0051 [New Rule] Potential SSH Bruteforce Detected (#538) 
* [New Rule] Potential SSH Bruteforce Detected

* Update credential_access_potential_ssh_bruteforce.toml

* added parent process condition

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* spaces

* ecs_version

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:18:03 +01:00
Samirbous 5c1229cc63 [New Rule] Suspicious Service ImagePath Created (#603) 
* [New Rule] Suspicious Service ImagePath Created

* fixed rule name

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed technique name

* Update persistence_suspicious_service_created_registry.toml

* new MITRE mapping not yet supported

* eql syntax

* ecs_version

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:14:54 +01:00
Samirbous 7775515b55 [New Rule] Privilege Escalation via Named Pipe Impersonation (#605) 
* [New Rule] Privilege Escalation via Named Pipe Impersonation

* added a reference url

* fixed PS OFN

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:05:30 +01:00
Samirbous c7d7bd7fdd [New Rule] Suspicious PowerShell Engine ImageLoad (#559) 
* [New Rule] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 16:48:01 +01:00
Samirbous 0eacf484a0 [New Rule] Scheduled Task Created by a Windows Script (#649) 
* [New Rule] Scheduled Task Created via Windows Scripts

* added powershell

* Update persistence_local_scheduled_task_scripting.toml

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* increased maxspan as per Dan sugg

* eql syntax

* eql syntax

* ecs_version

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 23:10:51 +01:00
Samirbous 41dd58b151 [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack (#655) 
* [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack

* ecs_version
 2020-12-03 22:59:46 +01:00
Samirbous 11041e0012 [New Rule] UAC Bypass via privileged IFileOperation (#416) 
* [New Rule] Bypass UAC via privileged IFileOp

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* adjusted file.path for performance

avoiding leading wildcard, rule can be customized by users if default drive letter is different

* new EQL syntax

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* ecs_version

* removed new lines

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-03 20:43:57 +01:00
Samirbous 54b926a7bf [Rule Tuning] Process Potentially Masquerading as WerFault (#653) 
* [Rule Tuning] Process Potentially Masquerading as WerFault

* Update defense_evasion_masquerading_werfault.toml

* converted from kql to eql sequence for more precision

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* relinted

* eql syntax

* ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 20:26:37 +01:00
Justin Ibarra 4b6ad77338 [Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667) 2020-12-03 01:00:24 -09:00
Samirbous 3ac232085b [New Rule] Remote Desktop Enabled in Windows Firewall (#368) 
* [New Rule] Inbound RDP Enabled

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* changed tags

* expanded args condition

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* adjusted process args

* renamed rule and added equivalent process args

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* fixing unit test errors

* original file name

* ecs_version

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-02 21:27:18 +01:00
Samirbous 30cded7a2d [New Rule] Lateral Movement via Startup Folder (#663) 
* [New Rule] Lateral Movement via Startup Folder

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:22:43 +01:00
Samirbous 3deff0eeb8 [New Rule] Remote Execution via File Shares (#455) 
* [New Rule] Remote Execution via File Shares

* removed timeline_id

* fixed tags

* added extension to reduce response time

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:20:13 +01:00
Samirbous e03f775789 [New Rule] Lateral Executable Transfer Over SMB (#517) 
* [New Rule] Lateral Executable Transfer Over SMB

* adjusted maxspan, address and extensions

* changed rule name

* Update rules/windows/lateral_movement_executable_tool_transfer_smb.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* eql syntax

* ecs_version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-02 21:03:31 +01:00
Samirbous e6645a8be9 [Rule Tuning] Clearing or Disabling Windows Event Logs (#393) 
* [Rule Tuning] Clearing or Disabling Windows Event Logs

* added tags

* Update defense_evasion_clearing_windows_event_logs.toml

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* updated the rule update date

* linted

* fixing unit test error

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-12-02 20:35:35 +01:00
Samirbous db2d17ccb2 [New Rule] Credential Acquisition via Registry Hive Dumping (#607) 
* [New Rule] Credential Acquisition via Registry Hive Dumping

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed MITRE technique details

* fixed TID

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update credential_access_dump_registry_hives.toml

* as per Justin suggestion case insensitivity is not issue 7.11

* Update credential_access_dump_registry_hives.toml

* new MITRE mapping errors

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_dump_registry_hives.toml

* added :

* changed process.args:(a, b) to process.args: a or process.args:b

while testing on 7.10 process.args : (a , b) generate an error

* adjusted query as per JLB and RW suggestion

* eql syntax

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 20:31:22 +01:00
Brent Murphy f23881f1b8 [New Rule] Microsoft 365 Exchange DLP Policy Removed (#600) 
* [New Rule] O365 Exchange DLP Policy Removed

* rebrand to m365

* update description
 2020-12-02 14:18:11 -05:00
Brent Murphy 427012ed32 [New Rule] Microsoft 365 Exchange Management Group Role Assignment (#599) 
* [New Rule] O365 Exchange Management Role Assignment

* Update persistence_o365_exchange_management_role_assignment.toml

* rebrand to m365
 2020-12-02 14:11:33 -05:00
Brent Murphy ec4cd98ce8 [Rule Tuning] Rebrand Office 365 to Microsoft 365 (#669) 2020-12-02 14:04:48 -05:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
David French ee82ada716 [Rule Tuning] Update IP Address Ranges in Multiple Rules (#576) 
* add additional IP ranges and format for readability

* remove superfluous "or" operators
 2020-12-01 13:38:47 -07:00
Samirbous dc9c63d043 [New Rule] Unusual Svchost ChildProc - ChildLess Services (#370) 
* [New Rule] Unusual Svchost ChildProc - ChildLess Services

* changed tags

* changed rule filename

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-01 20:30:03 +01:00
Samirbous 61fe8a59ff [New Rule] WebServer Access Logs Deleted (#457) 
* [New Rule] WebServer Access Logs Deleted

* removed timeline_id

* added drive letter for better perf

* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update defense_evasion_deleting_websvr_access_logs.toml

* changed severity from low to medium

* fixed duplicate text in description

* Update rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-01 10:48:55 +01:00
Samirbous 0fe12d2528 [New Rule] Suspicious Explorer Child Process (#430) 
* [New Rule] Suspicious Explorer Child Process

* Update execution_via_explorer_suspicious_child_parent_args.toml

* removed timeline_id

* fixed typo

* adjusted args for better performance

* Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-01 00:00:40 +01:00
Ross Wolf 710f4bda10 Add file.extension to SxS .local rule 2020-11-30 15:26:28 -07:00
Samirbous 2465a70dac [New Rule] Execution via local SxS Shared Module (#424) 
* [New Rule] Execution via local SxS Shared Module

* Update execution_shared_modules_local_sxs_dll.toml

* Update execution_shared_modules_local_sxs_dll.toml

* added tags

* added drive letter for less performance impact

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-11-30 23:24:44 +01:00
Samirbous 7138b01001 [New Rule] Potential Command and Control via IEXPLORE (#645) 
* [New Rule] Potential Command and Control via IEXPLORE

* Update command_and_control_iexplore_via_com.toml

* Update command_and_control_iexplore_via_com.toml

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-30 21:13:30 +01:00
Samirbous 14ef24e9dd [New Rule] Command shell activity started via rundll32 (#391) 
* [New Rule] Command shell activity started via rundll32

* added tag

* adjusted parent args for performance

avoid leading wildcard

* filtered a common FP

* Update execution_command_shell_via_rundll32.toml

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-11-30 21:02:57 +01:00