security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

2412 Commits

Author SHA1 Message Date
David French be4b5bb1c1 [New Rule] GCP Storage Bucket Deleted (#315) 
* new-rule-gcp-storage-bucket-deleted

* Add FP info to rule

* Update rule name

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:17:52 -06:00
David French 2b4044081e [New Rule] GCP Key Created for Service Account (#314) 
* new-rule-gcp-key-created-for-service-account

* Add FP info to rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:16:18 -06:00
David French bda33a559b [New Rule] GCP Storage Bucket Permissions Modified (#313) 
* new-rule-gcp-storage-bucket-permissions-modified

* Add FP info to rule

* Update name to make Brent a happy chappy

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:14:13 -06:00
Brent Murphy e6326afd5d Create collection_gcp_pub_sub_topic_creation.toml (#331) 2020-09-24 11:12:59 -04:00
David French 93f57b22f7 [New Rule] GCP Firewall Rule Modified (#311) 
* new-rule-gcp-firewall-rule-modified

* Update rule maturity to production

* Add FP info to rule

* Add ATT&CK metadata

* Lint rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:06:19 -06:00
David French 369d4f4a85 [New Rule] GCP Firewall Rule Deleted (#310) 
* new-rule-gcp-firewall-rule-deleted

* Update rule maturity to production

* Add FP info to rule

* Update rule maturity to production

* Add ATT&CK metadata

* Lint rule

* Update name to align with other rules

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:03:55 -06:00
Brent Murphy 968a3b4406 Create impact_gcp_iam_role_deltion.toml (#329) 2020-09-24 10:51:10 -04:00
Brent Murphy 275433596d Create exfiltration_gcp_logging_sink_modification.toml (#317) 2020-09-24 10:32:10 -04:00
Brent Murphy eef4f54dba Create initial_access_gcp_iam_custom_role_creation.toml (#316) 
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-24 10:19:40 -04:00
Brent Murphy 56fc99f152 [New Rule] GCP IAM Service Account Key Deletion (#309) 
* Create credential_access_gcp_iam_service_account_key_deletion.toml

* remove extra word in fp info

* linting
 2020-09-24 10:15:15 -04:00
Craig Chamberlain e39d857a11 [New Rule] Unusual Linux System Network Configuration Discovery (#265) 
* Create ml_linux_system_network_configuration_discovery.toml

ML rule to accompany the network configuration discovery job

* Update ml_linux_system_network_configuration_discovery.toml

added fp field

* Update ml_linux_system_network_configuration_discovery.toml

* Update ml_linux_system_network_configuration_discovery.toml

linting

* Update ml_linux_system_network_configuration_discovery.toml

* Update ml_linux_system_network_configuration_discovery.toml

* Update rules/ml/ml_linux_system_network_configuration_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-24 09:07:34 -04:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Craig Chamberlain 1e43896cf1 [New Rule] Unusual Process Calling the Metadata Service [Windows] (#323) 
* Create ml_windows_anomalous_metadata_process.toml

rule create

* Update rules/ml/ml_windows_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_windows_anomalous_metadata_process.toml

* Update ml_windows_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-23 15:50:43 -04:00
Craig Chamberlain dd65dad9dc [New Rule] Unusual Process Calling the Metadata Service [Linux] (#321) 
* Create ml_linux_anomalous_metadata_process.toml

rule creation

* Update rules/ml/ml_linux_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_anomalous_metadata_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-23 15:29:48 -04:00
Samirbous 87e1c92011 [New Rule] Unusual System Virtual Process Child Program (#181) 
* [New Rule] Unusual System Virtual Process Child Program

* Update defense_evasion_unusual_system_vp_child_program.toml

* Update defense_evasion_unusual_system_vp_child_program.toml

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:45:50 +02:00
Samirbous 431dcc17a4 [New Rule] Remote File Download via Desktopimgdownldr Utility (#249) 
* [New Rule] Remote File Download via Desktopimgdownldr Utility

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Lint rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:41:26 +02:00
Samirbous 9d884b6452 [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs (#253) 
* [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Added 2 more known vulnerable programs Dism.exe and w3wp.exe

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* linted

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:39:35 +02:00
Craig Chamberlain baefaeeaff [New Rule] Unusual Linux Network Connection Discovery (#266) 
* Create ml_linux_system_network_connection_discovery.toml

ML rule to accompany the unsual network connection discovery job

* Update ml_linux_system_network_connection_discovery.toml

set author

* Update ml_linux_system_network_connection_discovery.toml

added fasle positve field

* Update ml_linux_system_network_connection_discovery.toml

* Update ml_linux_system_network_connection_discovery.toml

linting

* Update rules/ml/ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update ml_linux_system_network_connection_discovery.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 16:27:17 -04:00
Craig Chamberlain f1f88e3b3a [New Rule] Unusual Linux System Information Discovery Activity (#264) 
* Create ml_linux_system_information_discovery.toml

rule to accompany the system information discovery job

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

added fp field

* Update ml_linux_system_information_discovery.toml

* Update ml_linux_system_information_discovery.toml

linting

* Update ml_linux_system_information_discovery.toml

* Update rules/ml/ml_linux_system_information_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:25:59 -04:00
Craig Chamberlain 92633ed51a [New Rule] Anomalous Linux Compiler Activity (#262) 
* Create ml_linux_anomalous_compiler_activity.toml

rule to accompany the rare compiler activity job

* Update ml_linux_anomalous_compiler_activity.toml

added fp field

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml

* Update ml_linux_anomalous_compiler_activity.toml
 2020-09-22 16:24:32 -04:00
Craig Chamberlain 8e2d4cbfc8 [New Rule] Unusual Linux System Owner or User Discovery Activity (#267) 
* Create ml_linux_system_user_discovery.toml

ML rule to accompany the unusual system owner / user discovery job

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update ml_linux_system_user_discovery.toml

added fp field

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

* Update ml_linux_system_user_discovery.toml

lint

* Update ml_linux_system_user_discovery.toml

* Update rules/ml/ml_linux_system_user_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:22:41 -04:00
Craig Chamberlain 0a0c5986c5 [New Rule] Anomalous Kernel Module Activity (#257) 
* Create ml_linux_rare_kernel_module_arguments.toml

* rare module rule

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update ml_linux_anomalous_kernel_module_arguments.toml

* Update rules/ml/ml_linux_anomalous_kernel_module_arguments.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 16:18:51 -04:00
Craig Chamberlain 14a62ae93f [New Rule] Unusual Linux Process Discovery Activity (#261) 
* Create ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

added fp field

* Update ml_linux_system_process_discovery.toml

* Update ml_linux_system_process_discovery.toml

* Update rules/ml/ml_linux_system_process_discovery.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linting

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-09-22 16:15:36 -04:00
David French cedb2e1289 [New Rule] Azure Conditional Access Policy Modified (#237) 
* new-rule-azure-conditional-access-policy-modified

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

Update maturity to production

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to include result value

* Update rules/azure/defense_evasion_azure_conditional_access_policy_modified.toml

* Update query to search both the Azure audit logs and activity logs

* Optimize formatting of query

* Tweak consent grant attack rule

Amending the query in rule, "Possible Consent Grant Attack via Azure-Registered Application" to search both the Azure activity and audit logs

* Tweak formatting of query to improve Brent's happiness level

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 09:28:32 -06:00
David French 11145ffb7f [New Rule] Possible Consent Grant Attack via Azure-Registered Application (#236) 
* new-rule-illicit-consent-grant-attack

* Update initial_access_consent_grant_attack_via_azure_registered_application.toml

Move detailed info and investigation notes to notes field

* Update query to include result field

* Update rules/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
 2020-09-22 08:30:34 -06:00
Samirbous e2a0172d7d [New Rule] Remote File Download via MpCmdRun (#247) 
* [New Rule] Remote File Download via MpCmdRun

* added ref

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-22 14:44:48 +02:00
Samirbous f750b89201 [New Rule] Remote File Copy via TeamViewer (#241) 
* [New Rule] Remote File Copy via TeamViewer

* Update command_and_control_teamviewer_remote_file_copy.toml

* Update command_and_control_teamviewer_remote_file_copy.toml

* Update rules/windows/command_and_control_teamviewer_remote_file_copy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:43:32 +02:00
Samirbous c2e95a35dc [New Rule] Evasion via Renamed AutoIt Scripts Interpreter (#234) 
* [New Rule] Evasion via Renamed AutoIt Scripts Interpreter

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:39:04 +02:00
Samirbous 4948582d7c [New Rule] Mimikatz Memssp Logs File Detected (#228) 
* [New Rule] Mimikatz Memssp Logs File Detected

* Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:37:40 +02:00
Samirbous 69b2f9f645 [New Rule] Code Injection - Suspicious Conhost Child Process (#226) 
* [New Rule] Code Injection - Suspicious Conhost Child Process

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:35:56 +02:00
Samirbous d43f814c19 [New Rule] Suspicious Elastic Endpoint Parent Process (#214) 
* [New Rule] Suspicious Elastic Endpoint Parent Process

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 14:34:11 +02:00
Samirbous 42247efc3b [New Rule] Suspicious WerFault Child Process (#212) 
* [New Rule] Suspicious WerFault Child Process

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* linted

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 14:32:04 +02:00
Samirbous 96992b3ae6 [New Rule] Potential Process Masquerading as WerFault (#210) 
* [New Rule] Potential Process Masquerading as WerFault

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:30:34 +02:00
Samirbous 52b6657d09 [New Rule] Suspicious .Net Compiler Parent Process (#208) 
* [New Rule] Suspicious dotNet Comilper Parent Process

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 14:28:41 +02:00
Samirbous ae13adf0a9 [New Rule] Suspicious managed code hosting process (#204) 
* [New Rule] Suspicious managed code hosting process

* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:27:03 +02:00
Samirbous 3890a90135 [Rule Tuning] Unusual Parent-Child Relationship (#185) 
* [Rule Tuning] Unusual Parent-Child Relationship

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml
 2020-09-22 14:25:27 +02:00
Samirbous 601a5a1e5b [New Rule] - Executable File Created by a System Critical Process (#183) 
* Unusual Executable File Creation by a System Critical Process

* Update defense_evasion_system_critical_proc_abnormal_file_activity.toml

* Update rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_system_critical_proc_abnormal_file_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:23:37 +02:00
Samirbous 3e67e8fada [New Rule] Remote SSH Login Enabled (#172) 
* [New Rule] Remote SSH Login Enabled

* Update lateral_movement_remote_ssh_login_enabled.toml

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:21:20 +02:00
Samirbous 2ce8c2833f [New Rule] Microsoft IIS Service Account Password Dumped (#167) 
* [New Rule] Microsoft IIS Service Account Password Dumped

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Linted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 13:58:57 +02:00
Samirbous ff097719af [New Rule] UAC Bypass via DiskCleanup Task Hijack (#160) 
* [New Rule] UAC Bypass via DiskCleanup Task Hijack

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:57:37 +02:00
Samirbous 9926071b0d [New Rule] - Execution via Hidden Shell (#154) 
* [New Rule] - Execution via Hidden Shell

* Update execution_via_hidden_shell_conhost.toml

* Update execution_via_hidden_shell_conhost.toml

* Update execution_via_hidden_shell_conhost.toml

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_via_hidden_shell_conhost.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:56:19 +02:00
Samirbous 79e7f17130 [New Rule] - Persistence via TelemetryController Scheduled Task Hijack (#150) 
* [New Rule] - Persistence via TelemetryController Scheduled Task Hijack

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 13:54:51 +02:00
Samirbous 822453b32c [New Rule] - Suspicious PsExec Execution (#134) 
* [New Rule] - Suspicious PsExec Execution

* Update defense_evasion_execution_suspicious_psexesvc.toml

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_execution_suspicious_psexesvc.toml

* Update rules/windows/defense_evasion_execution_suspicious_psexesvc.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:52:01 +02:00
Samirbous 9590bc3f68 [New Rule] Execution via xp_cmdshell MSSQL stored procedure (#132) 
* [New Rule] Execution via xp_cmdshell MSSQL stored procedure

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update execution_via_xp_cmdshell_mssql_stored_procedure.toml

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 13:48:54 +02:00
Samirbous cdbd3c0640 [Rule Tuning] - Tuning of 3 Existing Windows Rules (#123) 
* tunning of 3 existing rules

added not to accessibility rule
added whoami to system identity running discovery utility
added regasm.exe to registration utility performing ntcon

* Update rules/windows/discovery_net_command_system_account.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update execution_register_server_program_connecting_to_the_internet.toml

* Update execution_register_server_program_connecting_to_the_internet.toml

* Update execution_register_server_program_connecting_to_the_internet.toml

* Update execution_register_server_program_connecting_to_the_internet.toml

* Update persistence_priv_escalation_via_accessibility_features.toml

* Update discovery_net_command_system_account.toml

* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_net_command_system_account.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 13:47:22 +02:00
Brent Murphy 6a1e97cd06 [Rule Tuning] Update AWS rules to account for Agent index (#256) 
* Update AWS rules

* chnage updated date
 2020-09-21 09:04:50 -04:00
David French 4041fc8bde update-okta-rules-for-ingest-manager-compatibility (#295) 2020-09-15 15:42:38 -06:00
Brent Murphy 140091e7b8 [New Rule] Azure Storage Account Key Regenerated (#188) 
* Create credential_access_storage_account_key_regenerated.toml

* Update rules/azure/credential_access_storage_account_key_regenerated.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update credential_access_storage_account_key_regenerated.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 14:08:48 -04:00
Brent Murphy 040f56ff0c [New Rule] Azure Network Watcher Deletion (#232) 2020-09-04 12:18:18 -04:00
Brent Murphy 21431101b7 [New Rule] Azure External Guest User Invitation (#231) 
* Create initial_access_external_guest_user_invite.toml

* Update rules/azure/initial_access_external_guest_user_invite.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* update mitre metadata

* lint

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-04 12:11:13 -04:00