security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,314 Commits 1 Branch 0 Tags
1ce072a4e58238d94deae33ff8de25458ac129d5
Commit Graph

3314 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Samirbous 6bc4a6b9bb [New Rule] Linux System Log Files Deleted (#461) 
* [New Rule] Linux System Log Files Deleted

* Update defense_evasion_log_files_deleted.toml

* Update rules/linux/defense_evasion_log_files_deleted.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added linux to rule name as sug by JLB

* ecs_version

* Update rules/linux/defense_evasion_log_files_deleted.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/defense_evasion_log_files_deleted.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/linux/defense_evasion_log_files_deleted.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* adjusted format

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:34:33 +01:00
Samirbous c0c369181a [New Rule] New Port Forwarding Rule Added (#630) 
* [New Rule] New Port Forwarding Rule Added

* fiexed rule file name

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:32:08 +01:00
Samirbous 35ee818854 [Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable (#502) 
* Converted suspicious execution via psexec to EQL

* adjusted procname

* eql syntax

* ecs_version
 2020-12-08 17:27:16 +01:00
Samirbous 63759a4bf4 [New Rule] Lsass Memory Dump Created (#618) 
* [New Rule] Lsass Memory Dump Created

* added Dumpert and AndrewSpecial HKTL default memory dump filenames

* added sqldumper default dmp filename

* added Out-Minidump PS default dump filename

* ecs_version

* crackmap default lsass memdmp

* Update rules/windows/credential_access_lsass_memdump_file_created.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_lsass_memdump_file_created.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:24:51 +01:00
Samirbous feb79c0304 [New Rule] Suspicious Execution via Scheduled Task (#584) 
* [New Rule] Suspicious Execution via Scheduled Task

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update persistence_suspicious_scheduled_task_runtime.toml

* Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* eql syntax

* ecs_version

* added two susp_paths as suggested by Devon

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:20:21 +01:00
Samirbous ccea74d9d8 [New Rule] Incoming Execution via PowerShell Remoting (#624) 
* [New Rule] Incoming Execution via PowerShell Remoting

* eql syntax

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_powershell_remoting_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:16:10 +01:00
Samirbous 0479a8f8a3 [New Rule] Image File Execution Options Injection (#550) 
* [New Rule] Image File Execution Options Injection

* Update persistence_evasion_registry_ifeo_injection.toml

* Update persistence_evasion_registry_ifeo_injection.toml

* added FPs section

* eql syntax

* ecs_version

* Update rules/windows/persistence_evasion_registry_ifeo_injection.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:13:00 +01:00
Samirbous 0e78638655 [New Rule] Program Files Directory Masquerading (#581) 
* [New Rule] Program Files Directory Masquerading

* adjusted rule description

* adj procargs to include dlls and other extensions

rundll.exe c:\program files\beacon.dll will be detected for example

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_masquerading_trusted_directory.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:04:31 +01:00
Samirbous 02e9c082df [New Rule] Potential SharpRdp Detected (#527) 
* [New Rule] Potential SharpRdp Detected

* Updated references

* added process execution to the sequence

added process execution to the sequence to capture the malicious process details that was executed

* Linted

* adjusted sequence

* linted

* adjusted process exec details to avoid procs termination

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_sharprdp_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 17:00:51 +01:00
Samirbous bd2006d70d [New Rule] WMI Incoming Lateral Movement (#532) 
* [New Rule] WMI Incoming Lateral Movement

* Update rules/windows/lateral_movement_incoming_wmi.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* cirdrmatch returned error on 7.10 replaced by  !=

* Update rules/windows/lateral_movement_incoming_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:57:41 +01:00
Samirbous 16551bbfe7 [New Rule] NTDS or SAM Database File Copied (#622) 
* [New Rule] NTDS or SAM Database File Copied

* fixed description

* eql syntax

* Update rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:55:35 +01:00
Samirbous e707b53a03 [New Rule] Scheduled Jobs AT Protocol Enabled (#609) 
* [New Rule] Scheduled Jobs AT Protocol Enlabled

* fixed typo

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* eql syntax

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:52:17 +01:00
Samirbous 637d06f6c9 [New Rule] Mounting Hidden or WebDav Remote Shares (#444) 
* [New Rule] Mounting Hidden or WebDav Remote Shares

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* removed timeline_id

* adjusted args to avoid leading wildcard

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:50:09 +01:00
Samirbous 0544461b45 [New Rule] Remote Scheduled Task Creation (#598) 
* Remote Scheduled Task Modification

* replaced file modification with registry

replaced file modification with registry to capture the task configured action instead of task name only which is not useful for drill down.

* eql syntax

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* adj port number for ross :)

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:40:48 +01:00
Samirbous 7d7d010509 [New Rule] Persistence via Hidden Run Key ValName (#534) 
* [New Rule] Persistence via Hidden Run Key Detected

* added strings length condition

* added description

* Update persistence_via_hidden_run_key_valuename.toml

* Update rules/windows/persistence_via_hidden_run_key_valuename.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* commented length for stability

no logic impact

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:38:23 +01:00
Samirbous 929277486d [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#499) 
* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack

* performance tuning of proc args

* replaced wildcard with in condition

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-12-08 16:34:36 +01:00
Samirbous efba50d670 [New Rule] Enable RDP Through Registry (#632) 
* [New Rule] Enable RDP Through Registry

* eql syntax

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:32:24 +01:00
Samirbous 6b96b99dc1 [New Rule] Execution from TSClient Mountpoint (#524) 
* [New Rule] Execution from TSClient Mountpoint

* Delete profiles_settings.xml

* Delete modules.xml

* Delete vcs.xml

* Delete windows.iml

* Delete workspace.xml

* eql syntax

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:30:10 +01:00
Samirbous 58174015bd [New Rule] Privilege Escalation via Windir Environment Variable (#638) 
* [New Rule] Privilege Escalation via Windir Environment Variable

* added equiv envar

* eql syntax

* Update rules/windows/privilege_escalation_rogue_windir_environment_var.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:21:42 +01:00
Samirbous fbecc85593 [New Rule] Incoming DCOM Lateral Movement with MMC (#488) 
* [New Rule] Incoming DCOM Lateral Movement with MMC

* adjusted technique ID

subject to updates to all rules with new MITRE IDs

* added localhost filtering

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* port numb

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:19:26 +01:00
Samirbous e038b34344 [New Rule] Connection to Commonly Abused Free SSL Certificate Providers (#478) 
* [New Rule] Connection to Commonly Abused Free SSL Certificate Providers

* linted

* added explorer and notepad paths

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* adjusted desc

* eql syntax

* remove ecs_version

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:16:11 +01:00
Samirbous 49abcd7f4d [New Rule] Execution from unusual directory - CommandLine (#435) 
* [New Rule] Execution from unusual directory - cmdline

* Update execution_from_unusual_path_cmdline.toml

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* linted and added note as sug by JLB

* note

* ecs_version

* fixed path

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:13:52 +01:00
Samirbous 525512fdae [New Rule] Remote File Copy to a Hidden Share (#474) 
* [New Rule] Remote File Copy to a Hidden Share

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:07:18 +01:00
Samirbous 725f509700 [New Rule] LaunchDaemon Creation or Modification followed by Loading (#698) 
* [New Rule] LaunchDaemon Creation or Modification followed by Loading

* fix technique

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 16:04:34 +01:00
Samirbous 46d6bc69a2 [New Rule] UAC Bypass via Mocking Windir (#411) 
* [New Rule] UAC Bypass via Mocking Windir

* added tags

* changed rule name

* adjusted args for performance

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:55:36 +01:00
Samirbous 3040f6103f [New Rule] Suspicious PrintSpooler Point and Print DLL (#641) 
* [New Rule] Suspicious PrintSpooler Point and Print DLL

* added example of execution data to the ref

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted plus extra ref URL

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:07:26 +01:00
Samirbous 3fda16db71 [Rule Tuning] Potential Modification of Accessibility Binaries (#546) 
* [Rule Tuning] Potential Modification of Accessibility Binaries

* replaced wildcard by in

* indentation more consistent for readability

* eql syntax

* ecs_version
 2020-12-08 12:42:34 +01:00
Samirbous d59b2cb72b [New Rule] Persistence with Startup Folder by Unsigned Process (#651) 
* [New Rule] Persistence with Startup Folder by Unsigned Process

* new line

* eql syntax

* ecs_version

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* dropped winlogbeat index

pe signature check details missing

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:39:44 +01:00
Samirbous 6dc78c4703 [New Rule] Remote File Download via Scripting (#647) 
* [New Rule] Remote File Download via Scripting

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:37:51 +01:00
Samirbous c76439923b [New Rule] Attempt to Remove File Quarantine Attribute (#674) 
* [New Rule] Attempt to Remove File Quarantine Attribute

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:27:03 +01:00
Samirbous d1dc7b413e [New Rule] Apple Script Execution followed by Network Connection (#681) 
* [New Rule] Apple Script Execution followed by Network Connection

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* excluding LAN and loopback addresses

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:25:03 +01:00
Samirbous aeb061514c [New Rule] Persistence via Login and/or Logout Hooks (#683) 
* [New Rule] Persistence via Login and/or Logout Hooks

* fixed tags

* fixed tags

* added logouthook and extra refurl

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:09:36 +01:00
Samirbous bb93988926 [Rule Tuning] Unusual Network Connection via RunDLL32 (#693) 
* [Rule Tuning] Unusual Network Connection via RunDLL32

* excluding dns traffic

* Update rules/windows/execution_unusual_network_connection_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:01:17 +01:00
Samirbous 844a56b125 [New Rule] Execution with Explicit Credentials via Apple Scripting (#689) 
* [New Rule] Execution with Explicit Credentials via Apple Scripting

* fixing tactic

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added ref

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:57:52 +01:00
Samirbous f756619478 [New Rule] Persistence via Folder Action Script (#685) 
* [New Rule] Persistence via Folder Action Script

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:51:52 +01:00
Samirbous b8243f3739 [New Rule] Shell Execution via Apple Scripting (#687) 
* [New Rule] Shell Execution via Apple Scripting

* fixed description and relinted

* added extra ref url

* references url

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:45:39 +01:00
Samirbous 3f8a7573f7 [New Rule] Remotely Started Services (#542) 
* [New Rule] Remotely Started Services

* added a common FP msiexec

* Update lateral_movement_remote_services.toml

* eql syntax

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update lateral_movement_remote_services.toml

* port numb

* ecs_version

* added RPC to alert name

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:31:03 +01:00
Samirbous 0f17ad6839 [New Rule] Incoming Execution with WinRM Remote Shell (#616) 
* [New Rule] Incoming Execution with WinRM Remote Shell

* MITRE TID Mapping

removed also unnecessary sequence events

* Update lateral_movement_incoming_winrm_shell_execution.toml

* eql syntax

* ecs_version

* excluding localhost

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:28:37 +01:00
Samirbous b477255abe [New Rule] Potential DNS Tunneling with Nslookup (#522) 
* [New Rule] Potential DNS Tunneling with Nslookup

* adjusted tags

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* ecs_version

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:16:17 +01:00
Samirbous 6c37d5c6b4 [New Rule] Potential ProcessHerpaderping Detected (#418) 
* [New Rule] Suspicious Execution via File Overwrite

* Update defense_evasion_overwrite_followed_by_execution.toml

* Update defense_evasion_overwrite_followed_by_execution.toml

* removed timeline_id

* fixed logic and also added references URL

* tuned logic to exclude potential FPs

not an actual FP, but only observed executable file overwrite by default on Windows is related to SoftwareDistribution, this does not match the sequence (Process Execution followed by Same Process File Overwrite) but added it to exclusion just in case.

* adjusted a bit desc and name

* changed rule file name

* adjusted executable.path for performance

avoiding leading wildcard, users can customize rule if they have different drive letters

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* lint

* ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* deleted ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* changed rule name as per ross sugges

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:08:12 +01:00
Samirbous af85c27142 [New Rule] Peripheral Device Discovery (#446) 
* [New Rule] Peripheral Device Discovery

* removed timeline_id

* adjusted cmdline

* adjusted args for better performance

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:55:19 +01:00
Samirbous 9460618129 [New Rule ] Incoming DCOM Lateral Movement with MSHTA (#459) 
* [New Rule ] Remote Execution via DCOM - MSHTA

* corrected tactic

* removed timeline_id

* added host.id and tightened the netcon clause

* changed rule description and name

* removed parent process names

as condition its optional since process.args is explicit.

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* localhost filtering

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:49:54 +01:00
Brent Murphy 86b1a56c1b [New Rule] Attempts to Brute Force a Microsoft 365 User Account (#662) 
* [New Rule] Attempts to Brute Force an O365 User Account

* Update credential_access_o365_brute_force_user_account_attempt.toml

* rebrand to m365

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* update description
 2020-12-04 12:40:09 -05:00
Samirbous 181bbcb8c9 [New Rule] Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindow (#486) 
* [New Rule] Remote Execution via DCOM - ShellBrowserWindow or ShellWindows

* adjusted rule description and name

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* filtering localhost

* Update lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

* eql syntax

* ecs_version

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted and del ecs_vers

* re-linted

* deleted ecs_version

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:37:31 +01:00
Samirbous da949b0051 [New Rule] Potential SSH Bruteforce Detected (#538) 
* [New Rule] Potential SSH Bruteforce Detected

* Update credential_access_potential_ssh_bruteforce.toml

* added parent process condition

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* spaces

* ecs_version

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:18:03 +01:00
Samirbous 5c1229cc63 [New Rule] Suspicious Service ImagePath Created (#603) 
* [New Rule] Suspicious Service ImagePath Created

* fixed rule name

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed technique name

* Update persistence_suspicious_service_created_registry.toml

* new MITRE mapping not yet supported

* eql syntax

* ecs_version

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:14:54 +01:00
Samirbous 7775515b55 [New Rule] Privilege Escalation via Named Pipe Impersonation (#605) 
* [New Rule] Privilege Escalation via Named Pipe Impersonation

* added a reference url

* fixed PS OFN

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:05:30 +01:00
Samirbous c7d7bd7fdd [New Rule] Suspicious PowerShell Engine ImageLoad (#559) 
* [New Rule] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 16:48:01 +01:00
Samirbous 0eacf484a0 [New Rule] Scheduled Task Created by a Windows Script (#649) 
* [New Rule] Scheduled Task Created via Windows Scripts

* added powershell

* Update persistence_local_scheduled_task_scripting.toml

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* increased maxspan as per Dan sugg

* eql syntax

* eql syntax

* ecs_version

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 23:10:51 +01:00
Samirbous 41dd58b151 [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack (#655) 
* [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack

* ecs_version
 2020-12-03 22:59:46 +01:00