security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

3314 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonhnathan 239384497f [New Rule] PowerShell MiniDump Script (#1528) 
* PowerShell MiniDump Script Initial Rule

* Update credential_access_posh_minidump.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_posh_minidump.toml

* Update rules/windows/credential_access_posh_minidump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 12:09:16 -03:00
Jonhnathan 4524c175c8 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2021-10-26 12:05:12 -03:00
Austin Songer 89553d84a9 [New Rule] AWS Route Table Created (#1257) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_created.toml

* Update persistence_route_table_created.toml

* Update rules/persistence_route_table_created.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update persistence_route_table_created.toml

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_created.toml

* Update

* Update

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 10:25:53 -03:00
Justin Ibarra 5a69ceb0c5 Add test for improper rule demotion (released production -> development) (#1555) 2021-10-19 21:47:36 -08:00
Justin Ibarra 5bdf70e72c Add min_stack_comments to metadata schema (#1573) 
* Add min_stack_comments to metadata schema
 2021-10-19 20:52:53 -08:00
Jonhnathan f50fb1d61b [New Rule] Suspicious Portable Executable Encoded in Powershell Script (#1562) 
* Create execution_posh_portable_executable.toml

* Add wildcard

* Remove the wildcard

* Update rules/windows/execution_posh_portable_executable.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-18 17:50:16 -03:00
Austin Songer 3ab67d1562 [New Rule] AWS EventBridge Rule Disabled or Deleted (#1572) 
* Create aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-18 15:36:21 -03:00
Austin Songer cf2b3ee753 [New Rule] DNS-over-HTTPS Enabled by Registry (#1379) 
* Create defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-10-15 23:25:12 -03:00
Austin Songer 2c39bb962f [New Rule] AWS EFS File System or Mount Deleted (#1462) 
* AWS EFS File System or Mount Deleted

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:23:07 -03:00
Austin Songer 702524b1f7 [New Rule] AWS Suspicious SAML Activity (#1498) 
* Create privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Add trailing /

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:11:15 -03:00
Austin Songer 50501bb40f [New Rule] Azure Full Network Packet Capture Detected (#1420) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:06:27 -03:00
Austin Songer 790586fb57 [New Rule] Azure Virtual Network Device Modified or Deleted (#1421) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml

* fix description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:11:05 -03:00
Austin Songer 761df5fe84 [New Rule] Azure Kubernetes Pods Deleted (#1309) 
* Create impact_kubernetes_pod_deleted.toml

* Update impact_kubernetes_pod_deleted.toml

* Update

* Update impact_kubernetes_pod_deleted.toml

* quote value in query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:07:39 -03:00
Austin Songer dc980effb0 [New Rule] AWS RDS Snapshot Restored (#1312) 
* Create exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

* Delete exfiltration_rds_snapshot_restored.toml

* Create exfiltration_rds_snapshot_restored.toml

* Update

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:05:00 -03:00
Austin Songer 3303a4e255 [New Rule] Microsoft 365 - Mass download by a single user (#1348) 
* Create impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:01:50 -03:00
Austin Songer 90504915ad [New Rule] AWS Route53 hosted zone associated with a VPC (#1365) 
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 15:59:33 -03:00
Austin Songer d7eab5bbf3 [New Rule] AWS STS AssumeRole Usage (#1214) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_assumerole_abuse.toml

* Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml

* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add note field

* Update privilege_escalation_sts_assumerole_usage.toml

* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Adding Reference

* Expand STS

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 15:56:10 -03:00
Austin Songer 27ba204f1c [New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-15 15:42:25 -03:00
Austin Songer 7123d46623 [New Rule] Azure Blob Permissions Modification (#1499) 
* Create defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update description and query (spacing)

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-14 06:59:24 -03:00
Austin Songer 3d15c2072d [New Rule] Azure Kubernetes Events Deleted (#1307) 
* Create defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add quotes to azure query field

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-14 06:57:33 -03:00
Jonhnathan b7dcbbae72 [New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548) 
* PowerShell Suspicious Discovery Related Windows API Functions Initial Rule

* Update severity

* Lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-14 06:54:45 -03:00
Jonhnathan cc241c0b5e [Rule Tuning] Update network.direction (#1547) 
* Update network.direction

* bump updated_date
 2021-10-13 21:46:36 -03:00
github-actions[bot] c6ddb44445 Lock versions for releases: 7.13,7.14,7.15 (#1545) 
* Locked versions for releases: 7.13,7.14,7.15
 2021-10-13 14:23:26 -08:00
Austin Songer 11fa592c6f [New Rule] Microsoft 365 - Impossible travel activity (#1344) 
* Create initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Updated Directory

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-12 19:11:32 -03:00
Austin Songer c8ac37957d [New Rule] Microsoft 365 - User Restricted from Sending Email (#1345) 
* Create initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Fix technique

* update description and FP

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:32:54 -03:00
Austin Songer fa9da023dd [New Rule] Microsoft 365 - Unusual Volume of File Deletion (#1347) 
* Create impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update rules/microsoft-365/impact_microsoft_365_unusual_volume_of_file_deletion.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Add missing `\`

* Bump to prod and update description

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:30:49 -03:00
Austin Songer 98c217ece9 [New Rule] Microsoft 365 - Potential ransomware activity (#1346) 
* Create impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* bump to prod

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:26:17 -03:00
Austin Songer 82e72a956b [New Rule] AWS Route Table Modified or Deleted (#1258) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 15:16:48 -03:00
Apoorva Joshi 74fa8ebe48 Updating host risk score docs (#1518) 
* Updating host risk score docs

* Update docs/experimental-machine-learning/host-risk-score.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Making some changes

* Adding space to :all the things:

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-07 20:38:24 -07:00
David French cdbd5a6515 [New Rule] Rules to detect screensaver persistence on macOS (#1531) 
* add macos screensaver persistence rules

* change uuid

* update name

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* add T1546

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-07 08:22:58 -06:00
LaZyDK 43f0d77033 Update defense_evasion_execution_windefend_unusual_path.toml (#1492) 
* Update defense_evasion_execution_windefend_unusual_path.toml

Add Microsoft Security Client to exclusions.

* Update defense_evasion_execution_windefend_unusual_path.toml

Update updated_date

* Updated author

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-05 16:38:01 -03:00
Austin Songer 9508002bb3 [New Rule] AWS ElastiCache Security Group Created (#1363) 
* Create persistence_elasticache_security_group_creation.toml

* Update

* Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml

* Update defense_evasion_elasticache_security_group_creation.toml

* Update defense_evasion_elasticache_security_group_creation.toml

* Re-add rule.threat

* Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* remove extra space from query

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-05 14:00:29 -03:00
Austin Songer 3b0d2006b7 Made these pull requests before the directory restructure. (#1517) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-05 09:29:40 -03:00
Austin Songer 0a3c44e8db [Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514) 2021-10-04 13:31:31 -08:00
Andrew Pease d5a8f41864 [Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524) 
* Updated rule to include resizing

* lint

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-04 16:00:35 -03:00
Jonhnathan f2b58cc0ab [New Rule] Backup Files Deletion (#1516) 
* Add Backup Files Deletion Initial Rule

* Fix creation date

* Add updated_date

* Adjust description and query

* Update Description

* Update rules/windows/impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add false_positives

* Update impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-04 15:55:52 -03:00
Austin Songer f41714642c [New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364) 
* Create impact_aws_elasticache_security_group_modified_or_deleted.toml

* Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Update

* Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-04 15:38:37 -03:00
Austin Songer 6298f7b00a [New Rule] Volume Shadow Copy Deletion via PowerShell (#1358) 
* Create defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Rename defense_evasion_volume_shadow_copy_deletion_via_powershell.toml to impact_volume_shadow_copy_deletion_via_powershell.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Add trailing /

* Update rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-04 14:58:02 -03:00
Jonhnathan ba9c01be50 Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511) 2021-09-30 13:08:35 -08:00
Jonhnathan 5e4a7e67df [Rule Tuning] Small update on rule descriptions (#1508) 2021-09-30 12:54:15 -08:00
Samirbous 76a0224f60 [New Rule] Virtual Machine Fingerprinting via Grep (#1510) 
* [New Rule] Virtual Machine Fingerprinting via Grep

* format

* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added reference url

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-30 20:40:05 +02:00
Samirbous 521e4dc8f1 [New Rule] Potential Lsass Memory Dump via MirrorDump (#1504) 
* [New Rule] Potential Lsass Memory Dump via MirrorDump

* added tactic

* switched to kql

* added sysmon process access non ecs types

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* rule.name as suggested by Justin and converted to EQL to add comments

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-30 10:16:36 +02:00
Austin Songer d28c48f20f [New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393) 2021-09-29 09:08:09 -08:00
Austin Songer a51ed86851 [New Rule] New or Modified Federation Domain (#1212) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_new-or-modified-federation-domain.toml

* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update

* Update persistence_new_or_modified_federation_domain.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-29 09:16:17 -03:00
Austin Songer 5ac7fb639c [New Rule] O365 Exchange Suspicious Mailbox Right Delegation (#1211) 2021-09-27 13:18:33 -08:00
Justin Ibarra 63d6a54804 [Rule Tuning] Add system index to Windows Event Logs Cleared (#1502) 2021-09-24 12:04:56 -05:00
Jonhnathan 61afb1c1c0 [Rule Tuning] Update threat mappings for Windows rules (#1497) 
* Windows Rules Att&ck Mapping review

* Bump updated_date and fix reference URLs

* Fix subtechnique

* Fix test errors
 2021-09-23 12:08:38 -05:00
Austin Songer 93b8038d7d [New Rule] AWS STS GetSessionToken Abuse (#1213) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_getsessiontoken_abuse.toml

* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update

* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-09-22 16:28:02 -03:00
Austin Songer 3e2cf4f53e [New Rule] Okta User Attempted Unauthorized Access (#1209) 2021-09-21 22:44:20 -08:00
Justin Ibarra 8e3b1d28c4 [Rule Tuning] Fix typos in rule metadata (#1494) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-09-21 16:31:00 -03:00