* [New Rule] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
* Update rules/windows/command_and_control_common_webservices.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
* added notabug.org as suggested by Daniel
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
* [New Rule] Bypass UAC via Windows Firewall Snap-in Hijack
* Delete workspace.xml
* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* [New Rule] Persistence via MS Office Addins
* Update persistence_ms_office_addins_file.toml
* Update persistence_ms_office_addins_file.toml
* Update persistence_ms_office_addins_file.toml
* Update persistence_ms_office_addins_file.toml
* fixed extension and relaxed file.path
* updated references
* changed leading wildcard for perf
* Update rules/windows/persistence_ms_office_addins_file.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* Update rules/windows/persistence_ms_office_addins_file.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* rune-okta-rule-metadata
* update note field to include fleet integration info
* separate okta policy rule modification and deletion into two rules
* rename file to align with style of others
* fix syntax typo
* separate zone and policy deactivation, deletion, and modification actions into separate rules
* fix typo
* fix tpyo 🙃
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
* Use "detects" instead of "identifies" in description
* [New Rule] Remote Desktop Tunneling using SSH Plink Utility
* Update lateral_movement_rdp_tunnel_plink.toml
* Update lateral_movement_rdp_tunnel_plink.toml
* changed tags
* expanded condition to more than plink
there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R.
* Update lateral_movement_rdp_tunnel_plink.toml
* more args options
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* [New Rule] Security Software Discovery using WMIC
* added tags
* adjusted args for performance
avoiding leading wildcard in process args
* Update discovery_security_software_wmic.toml
* Update discovery_security_software_wmic.toml
* Update discovery_security_software_wmic.toml
* Update rules/windows/discovery_security_software_wmic.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* Update rules/windows/discovery_security_software_wmic.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
* Tweak Rules for 7.10
* Add endpoint index for packetbeat rules
* update unit test to account for Network tag as well
* update modified date, add endpoint tag
* use Host instead of Endpoint
* Update packaging.py
* add v back to changelog url
* Add "tag" comment to get_markdown_rule_info
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Samirbous