sigma-rules

Author	SHA1	Message	Date
Brent Murphy	f08312ec7f	[New Rule] Disabling User Account Control via Registry (#892 ) * Create privilege_escalation_disable_uac_registry.toml * Apply suggestions from code review Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint * spacing * add logs-windows.* * minor syntax change and final lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-10 09:11:45 -05:00
Brent Murphy	c5d6cbc2e4	[New Rule] Potential LSA Authentication Package Abuse (#903 ) * Create privilege_escalation_lsa_auth_package.toml * bump risk and sev * spacing * add logs-windows.* * Update rules/windows/privilege_escalation_lsa_auth_package.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update privilege_escalation_lsa_auth_package.toml * Update rules/windows/privilege_escalation_lsa_auth_package.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * final lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 09:00:58 -05:00
Samirbous	142a26a010	[New Rule] Suspicious Adobe Acrobat Updates Service Child Process (#886 ) * [New Rule] Suspicious Adobe Acrobat Updates Service Child Process * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 14:08:37 +01:00
Samirbous	58f0bf5998	[Rule Tuning] Attempt to Remove File Quarantine Attribute (#781 ) * [Rule Tuning] Attempt to Remove File Quarantine Attribute * Update defense_evasion_attempt_del_quarantine_attrib.toml * adjusted query coverage * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-10 10:45:50 +01:00
Samirbous	7fc5ba1646	[New Rule] Persistence via Cron Tasks (#867 ) * [New Rule] Persistence via Cron Tasks * Update persistence_cron_jobs_creation_and_runtime.toml * Update persistence_cron_jobs_creation_and_runtime.toml * excluded noisy procs and root user * moved to cross-platform * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * excluding root user * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 10:28:22 +01:00
Samirbous	51498f6022	[New Rule] Attempt to Mount an SMB Share via Command-line (#914 ) * [New Rule] Attempt to Mount an SMB Share via Command-line * fixed tactic_id * 2021! * Update lateral_movement_mounting_smb_share.toml * Update rules/macos/lateral_movement_mounting_smb_share.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/lateral_movement_mounting_smb_share.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/lateral_movement_mounting_smb_share.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * lint rule Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-09 22:08:30 +01:00
Samirbous	a50a65a4d7	[Rule Tuning] Execution with Explicit Credentials via Scripting (#910 )	2021-02-09 22:06:23 +01:00
Samirbous	7d4bd35bf0	[New Rule] Potential Privileges Escalation via Root Crontab File Modi… (#919 ) * [New Rule] Potential Privileges Escalation via Root Crontab File Modification * Update privilege_escalation_root_crontab_filemod.toml * Update rules/macos/privilege_escalation_root_crontab_filemod.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_root_crontab_filemod.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * lint rule Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-09 22:04:14 +01:00
Andrew Pease	ddddaf37dc	[New Rule] Sudo Heap-based Buffer Overflow Vulnerability Attempt (CVE-2021-3156) (#933 ) * initial commit * adjusted title * Update rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updates * optimized * added ""'s * typo around "-s" * added sudo reference * changed to threshold * Update rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml * re-lint Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-09 15:02:04 -06:00
Samirbous	769ced1001	[New Rule] Privilege Elevation via Sudoers File Modification (#917 ) * [New Rule] Privilege Elevation via Sudoers File Modification * Update privilege_escalation_echo_nopasswd_sudoers.toml * group args * Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * lint rule * added subtechnique Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-09 21:58:31 +01:00
Samirbous	424a182383	[New Rule] Dumping Accounts Hashes using Built-In Commands (#908 ) * [New Rule] Dumping Accounts Hashes using Built-In Commands * fixed dates * Update credential_access_dumping_hashes_bi_cmds.toml * Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_dumping_hashes_bi_cmds.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-09 21:49:51 +01:00
Samirbous	68f834270d	[New Rule] Potential Persistence via Atom Init Script Modification (#906 ) * [New Rule] Potential Persistence via Atom Init Script Modification * Update rules/macos/persistence_via_atom_init_file_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_via_atom_init_file_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-09 21:47:08 +01:00
Samirbous	5ae9347663	[New Rule] Suspicious Calendar File Modification (#880 ) * [New Rule] Suspicious Calendar File Modification * description * index * excluding FPs by path * Update persistence_suspicious_calendar_modification.toml * Update persistence_suspicious_calendar_modification.toml * Update rules/macos/persistence_suspicious_calendar_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_suspicious_calendar_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-09 21:44:45 +01:00
Andrew Pease	7c336a0a91	[New Rule] DefenderControl Activity (#769 ) * initial commit * updated to eql and registry vs. file * fix updated_date format Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_defendercontrol_activity.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * changed name and added registry value 3 or 4 * remove duplicate * fixed date format and lint * updated indices * removed fp and updated description Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-09 10:12:54 -06:00
Samirbous	aa2dcd58e7	[New Rule] Persistence via DirectoryService Plugin Modification (#858 ) * [New Rule] Persistence via DirectoryService Plugin Modification * Update persistence_directory_services_plugins_modification.toml * adjusted description * Update rules/macos/persistence_directory_services_plugins_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_directory_services_plugins_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_directory_services_plugins_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-09 10:59:35 +01:00
Samirbous	cfd42babd1	[New Rule] Enumeration of Users or Groups using Built-In Commands (#848 ) * [New Rule] Enumeration of Users or Groups using Built-In Commands * Update discovery_users_domain_built_in_commands.toml * added search option * excluded some noisy processes * Update discovery_users_domain_built_in_commands.toml * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/discovery_users_domain_built_in_commands.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-09 10:50:39 +01:00
Samirbous	ffaf689778	[New Rule] Persistence via KDE AutoStart Script or Desktop File Modif… (#809 ) * [New Rule] Persistence via KDE AutoStart Script or Desktop File Modification * Update persistence_kde_autostart_modification.toml * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/linux/persistence_kde_autostart_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * format * date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-09 10:47:05 +01:00
Justin Ibarra	b8116a5b77	Add GitHub PR rule loader (#670 ) * add load_gh_pr_rules function * add dev package-stats command * add dev search-rule-prs command, which extends the same functionality in rule-search to rules in PR	2021-02-08 21:35:44 -09:00
Justin Ibarra	56dc4745b5	Add `export-rules` command (#639 ) * Add export-rule command to CLI * add `export` method to packaging class	2021-02-08 20:43:16 -09:00
David French	e507898dbd	[New Rule] Attempt to Disable Gatekeeper (#841 )	2021-02-08 20:25:04 -07:00
Samirbous	519078c87c	[New Rule] Authorization Plugin Modification (#856 ) * [New Rule] Authorization Plugin Modification * Update credential_access_persistence_authorization_plugin_creation.toml * Update rules/macos/credential_access_persistence_authorization_plugin_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_persistence_authorization_plugin_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * tactic * filename Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 23:14:25 +01:00
Samirbous	2092c70f11	[New Rule] Finder Sync Plugin Enabled (#735 ) * [New Rule] Finder Sync Plugin Enabled * ref url decoded * Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * excluded some common finder plugins * Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_finder_sync_plugin_pluginkit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 23:08:49 +01:00
Samirbous	4d68377d1b	[New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation (#819 ) * [New Rule] Suspicious DLL Loaded for Persistence or Privilege Escalation * replaced file.name with dll.name * Update rules/windows/privilege_escalation_persistence_phantom_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update privilege_escalation_persistence_phantom_dll.toml * Update rules/windows/privilege_escalation_persistence_phantom_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/privilege_escalation_persistence_phantom_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/privilege_escalation_persistence_phantom_dll.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-08 23:04:02 +01:00
Samirbous	fb32679921	[New Rule] Access to SystemKey via Hexdump (#815 ) * [New Rule] Access to SystemKey via Hexdump * Update rules/macos/credential_access_systemkey_dumping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_systemkey_dumping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_systemkey_dumping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update credential_access_systemkey_dumping.toml * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 23:02:02 +01:00
Samirbous	2e6b353f5e	[New Rule] Potential Reverse Shell Activity via Terminal (#821 ) * [New Rule] Potential Reverse Shell Activity via Terminal * extra reference * adjusted process.args for coverage resilience * Update execution_revershell_via_shell_cmd.toml * Update rules/cross-platform/execution_revershell_via_shell_cmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/execution_revershell_via_shell_cmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * encoded ref url Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-08 22:57:55 +01:00
Samirbous	6e2d8830e1	[New Rule] Attempt to Install Root Certificate (#850 ) * [New Rule] Attempt to Install Root Certificate * Update rules/macos/defense_evasion_install_root_certificate.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_install_root_certificate.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 22:49:35 +01:00
Samirbous	a08adbf10c	[New Rule] Suspicious Launchd Hidden Child Process (#823 ) * [New Rule] Hidden Launcd Child Process * adjusted name and added extra ref * severity change * Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added subtechnique * Update rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-08 22:43:21 +01:00
Samirbous	55272cc49e	[New Rule] EggShell Backdoor Execution (#845 ) * [New Rule] EgShell Backdoor Execution * Update rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 22:37:15 +01:00
Samirbous	53db78fccc	[New Rule] Lateral Movement via Kerberos using Bifrost Console (#843 ) * [New Rule] Lateral Movement via Kerberos using Bifrost Console * adjusted kql for perf * mitre techniques order * added two args * Update lateral_movement_credential_access_kerberos_bifrostconsole.toml * Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 22:34:54 +01:00
Samirbous	429a975d14	[New Rule] Keychain Password Retrieval via Commandline (#811 ) * [New Rule] Keychain Password Retrieval via Commandline * added false positives note * added internet-pwd option * extra refurl * Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * fixed technique Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 22:31:16 +01:00
Samirbous	18a4e468ce	[New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension (#807 ) * [New Rule] Attempt to Unload Elastic Endpoint Security Kernel Extension * Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_unload_endpointsecurity_kext.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added subtechnique Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 22:22:16 +01:00
Brent Murphy	64366218c7	adjust risk score (#938 )	2021-02-08 13:15:42 -05:00
Samirbous	6ca381763d	[New Rule] Execution with Administrator Privileges via Apple Scripting (#777 ) * [New Rule] Execution with Administrator Privileges via Apple Scripting * Update privilege_escalation_applescript_with_admin_privs.toml * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-08 17:39:22 +01:00
Samirbous	ef01430ab0	[Rule Tuning] Compression of Keychain Credentials Directories (#787 ) * [Rule Tuning] Access to Keychain Credentials Directories * linted * renmaed rule filename * added keychain filenames added filenames in case of exec from keychain working directory * extra reference * Update rules/macos/credential_access_credentials_keychains.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update credential_access_credentials_keychains.toml * 2021 Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <bmurphy@endgame.com>	2021-02-08 17:31:04 +01:00
Samirbous	79b0a940c5	[New Rule] Attempt to Create a Hidden Local Account (#799 ) * [New Rule] Attempt to Create a Hidden Local Account * adjusted query for perfmc * Update persistence_account_creation_hide_at_logon.toml * Update persistence_account_creation_hide_at_logon.toml * Update rules/macos/persistence_account_creation_hide_at_logon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_account_creation_hide_at_logon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 17:24:56 +01:00
Samirbous	55998ff02a	[New Rule] Creation Attempt of a Hidden Login Item via Apple Script (#801 ) * [New Rule] Creation Attempt of a Hidden Login Item via Apple Script * fixed TID * Update persistence_creation_hidden_login_item_osascript.toml * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 17:22:01 +01:00
Samirbous	b9a6452001	[New Rule] Attempt to Enable the Root Account (#792 ) * [New Rule] Attempt to Enable the Root Account * Update rules/macos/persistence_enable_root_account.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 17:10:43 +01:00
Samirbous	b73564b541	[Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#783 )	2021-02-08 16:54:39 +01:00
Samirbous	055c8ec4f7	[New Rule] Potential MacOS Privacy Controls Bypass via TCCDB Modification (#765 ) * [New Rule] Potential MacOS Privacy Controls Bypass * added extra ref and arg if exec from TCC current directory * Update defense_evasion_privacy_controls_tcc_database_modification.toml * renamed * Update defense_evasion_privacy_controls_tcc_database_modification.toml * adjusted to catch rogue TCCDB PrivEsc Exploit * Update defense_evasion_privacy_controls_tcc_database_modification.toml * Update defense_evasion_privacy_controls_tcc_database_modification.toml * Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added subtechnique * relinted * Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-08 16:48:53 +01:00
Samirbous	8b8cbcf8dd	[Rule Tuning] Prompt for Credentials with OSASCRIPT (#759 ) * [Rule Tuning] Prompt for Credentials with OSASCRIPT * Update credential_access_promt_for_pwd_via_osascript.toml * Update credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * update date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 16:42:23 +01:00
Samirbous	4cb28adece	[New Rule] Sublime Plugin or Application Script Modification (#761 ) * [New Rule] Sublime Plugin or Application Script Modification * excluded some noisy procs * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added T1554 * fixed tactic Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 16:34:44 +01:00
Samirbous	82fe227030	[New Rule] Sensitive Files Compression (#756 ) * [New Rule] Sensitive Files Compression * conv to kql * Update rules/linux/credential_access_collection_sensitive_files.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_collection_sensitive_files.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_collection_sensitive_files.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_collection_sensitive_files.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-08 16:31:00 +01:00
Samirbous	99a4aaff58	[New Rule] Modification of the Dynamic Linker Preload Shared Object (#921 ) * [New Rule] Modification of the Dynamic Linker Preload Shared Object * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 16:11:37 +01:00
Brent Murphy	02ee8195ab	[New Rule] Creation or Modification of Root Certificate (#927 ) * Create defense_evasion_create_mod_root_certificate.toml * update description * Update defense_evasion_create_mod_root_certificate.toml * spacing * Update rules/windows/defense_evasion_create_mod_root_certificate.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * removing process names that could lead to fn Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-08 10:01:59 -05:00
Brent Murphy	0b568e5740	[New Rule] Suspicious JAR Child Process (#887 ) * Create execution_suspicious_jar_child_process.toml * pr review feedback and moved to cross platform * spacing * Add FP section	2021-02-08 09:48:48 -05:00
Samirbous	6a61caa84f	[New Rule] Suspicious Browser Child Process (#767 ) * [New Rule] Suspicious Browser Child Process * auditbeat removed auditbeat process execution does not log the parent process name. * added more suspicious childproc * added perl and php * Update execution_initial_access_suspicious_browser_childproc.toml * Update execution_initial_access_suspicious_browser_childproc.toml * Update execution_initial_access_suspicious_browser_childproc.toml * excluded noisy stuff * Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 15:06:18 +01:00
Samirbous	732770e855	[New Rule] Potential OpenSSH Backdoor Logging Activity (#749 ) * [New Rule] Known SSH Backdoor Logging File * updated query to common patterns * updated rule name * relinted * added extra path * renamed * adjusted some filepaths * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added kobalos OpenSSH credential stealer added kobalos SSH credential stealer default logs file as reported by ESET this week https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf * relinted * adjusted MITRE technique * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/linux/credential_access_ssh_backdoor_log.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-05 21:27:15 +01:00
Samirbous	3fde3930f7	[New Rule] Modification of Standard Authentication Module or Configuration (#745 ) * [New Rule] Modification of Unix Standard Authentication Module * extra ref and added file creation event type * extra ref url * Update persistence_modify_authentication_module.toml * added pam.d conf files changes too * adjusted tactics and techniques * Update persistence_modify_authentication_module.toml * Update persistence_modify_authentication_module.toml * changed from linux to cross platfm * Update persistence_credential_access_modify_auth_module_or_config.toml * adjusted query * converted to kql and excluded FPs * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update persistence_credential_access_modify_auth_module_or_config.toml * Update persistence_credential_access_modify_auth_module_or_config.toml * Update rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-05 21:23:58 +01:00
Justin Ibarra	e2c860693c	Repaired merge from PR 876 - RTA docs (#935 )	2021-02-04 08:34:54 -09:00
Samirbous	4900c9a018	[New Rule] Potential Office Sandbox Evasion via ZIP File (#834 ) * [New Rule] Potential Office Sandbox Evasion via LaunchAgent ZIP File * adjusted query to account for other autostart paths * adjusted query and description * Update defense_evasion_sandboxed_office_app_suspicious_zip_file.toml * Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * 2021! Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-04 16:47:58 +01:00

... 55 56 57 58 59 ...

3314 Commits