security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
182 Commits 1 Branch 0 Tags
1dfc8ca8178bdeef25bd8091aa4f1899a4819a57
Commit Graph

18 Commits

Author SHA1 Message Date
Justin Ibarra e5e0339430 min_stack all rules to 8.3 (#2259) 
* min_stack all rules to 8.3

* bump date

Co-authored-by: Mika Ayenson <mika.ayenson@elastic.co>

Removed changes from:
- rules/apm/apm_403_response_to_a_post.toml
- rules/apm/apm_405_response_method_not_allowed.toml
- rules/apm/apm_null_user_agent.toml
- rules/apm/apm_sqlmap_user_agent.toml
- rules/cross-platform/credential_access_cookies_chromium_browsers_debugging.toml
- rules/cross-platform/defense_evasion_agent_spoofing_mismatched_id.toml
- rules/cross-platform/defense_evasion_agent_spoofing_multiple_hosts.toml
- rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
- rules/cross-platform/defense_evasion_deletion_of_bash_command_line_history.toml
- rules/cross-platform/defense_evasion_elastic_agent_service_terminated.toml
- rules/cross-platform/defense_evasion_timestomp_touch.toml
- rules/cross-platform/discovery_security_software_grep.toml
- rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
- rules/cross-platform/execution_pentest_eggshell_remote_admin_tool.toml
- rules/cross-platform/execution_revershell_via_shell_cmd.toml
- rules/cross-platform/execution_suspicious_jar_child_process.toml
- rules/cross-platform/execution_suspicious_java_netcon_childproc.toml
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/cross-platform/initial_access_zoom_meeting_with_no_passcode.toml
- rules/cross-platform/persistence_credential_access_modify_auth_module_or_config.toml
- rules/cross-platform/persistence_shell_profile_modification.toml
- rules/cross-platform/persistence_ssh_authorized_keys_modification.toml
- rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
- rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
- rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
- rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
- rules/cross-platform/threat_intel_filebeat8x.toml
- rules/cross-platform/threat_intel_fleet_integrations.toml
- rules/integrations/aws/collection_cloudtrail_logging_created.toml
- rules/integrations/aws/credential_access_aws_iam_assume_role_brute_force.toml
- rules/integrations/aws/credential_access_iam_user_addition_to_group.toml
- rules/integrations/aws/credential_access_root_console_failure_brute_force.toml
- rules/integrations/aws/credential_access_secretsmanager_getsecretvalue.toml
- rules/integrations/aws/defense_evasion_cloudtrail_logging_deleted.toml
- rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml
- rules/integrations/aws/defense_evasion_cloudwatch_alarm_deletion.toml
- rules/integrations/aws/defense_evasion_config_service_rule_deletion.toml
- rules/integrations/aws/defense_evasion_configuration_recorder_stopped.toml
- rules/integrations/aws/defense_evasion_ec2_flow_log_deletion.toml
- rules/integrations/aws/defense_evasion_ec2_network_acl_deletion.toml
- rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml
- rules/integrations/aws/defense_evasion_elasticache_security_group_modified_or_deleted.toml
- rules/integrations/aws/defense_evasion_guardduty_detector_deletion.toml
- rules/integrations/aws/defense_evasion_s3_bucket_configuration_deletion.toml
- rules/integrations/aws/defense_evasion_waf_acl_deletion.toml
- rules/integrations/aws/defense_evasion_waf_rule_or_rule_group_deletion.toml
- rules/integrations/aws/exfiltration_ec2_full_network_packet_capture_detected.toml
- rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml
- rules/integrations/aws/exfiltration_ec2_vm_export_failure.toml
- rules/integrations/aws/exfiltration_rds_snapshot_export.toml
- rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
- rules/integrations/aws/impact_aws_eventbridge_rule_disabled_or_deleted.toml
- rules/integrations/aws/impact_cloudtrail_logging_updated.toml
- rules/integrations/aws/impact_cloudwatch_log_group_deletion.toml
- rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml
- rules/integrations/aws/impact_ec2_disable_ebs_encryption.toml
- rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml
- rules/integrations/aws/impact_iam_deactivate_mfa_device.toml
- rules/integrations/aws/impact_iam_group_deletion.toml
- rules/integrations/aws/impact_rds_group_deletion.toml
- rules/integrations/aws/impact_rds_instance_cluster_deletion.toml
- rules/integrations/aws/impact_rds_instance_cluster_stoppage.toml
- rules/integrations/aws/initial_access_console_login_root.toml
- rules/integrations/aws/initial_access_password_recovery.toml
- rules/integrations/aws/initial_access_via_system_manager.toml
- rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
- rules/integrations/aws/ml_cloudtrail_rare_error_code.toml
- rules/integrations/aws/ml_cloudtrail_rare_method_by_city.toml
- rules/integrations/aws/ml_cloudtrail_rare_method_by_country.toml
- rules/integrations/aws/ml_cloudtrail_rare_method_by_user.toml
- rules/integrations/aws/persistence_ec2_network_acl_creation.toml
- rules/integrations/aws/persistence_ec2_security_group_configuration_change_detection.toml
- rules/integrations/aws/persistence_iam_group_creation.toml
- rules/integrations/aws/persistence_rds_cluster_creation.toml
- rules/integrations/aws/persistence_rds_group_creation.toml
- rules/integrations/aws/persistence_rds_instance_creation.toml
- rules/integrations/aws/persistence_redshift_instance_creation.toml
- rules/integrations/aws/persistence_route_53_domain_transfer_lock_disabled.toml
- rules/integrations/aws/persistence_route_53_domain_transferred_to_another_account.toml
- rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml
- rules/integrations/aws/persistence_route_table_created.toml
- rules/integrations/aws/persistence_route_table_modified_or_deleted.toml
- rules/integrations/aws/privilege_escalation_aws_suspicious_saml_activity.toml
- rules/integrations/aws/privilege_escalation_root_login_without_mfa.toml
- rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml
- rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml
- rules/integrations/aws/privilege_escalation_updateassumerolepolicy.toml
- rules/integrations/azure/collection_update_event_hub_auth_rule.toml
- rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml
- rules/integrations/azure/credential_access_key_vault_modified.toml
- rules/integrations/azure/credential_access_storage_account_key_regenerated.toml
- rules/integrations/azure/defense_evasion_azure_application_credential_modification.toml
- rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml
- rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml
- rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml
- rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml
- rules/integrations/azure/defense_evasion_event_hub_deletion.toml
- rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml
- rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml
- rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
- rules/integrations/azure/defense_evasion_network_watcher_deletion.toml
- rules/integrations/azure/defense_evasion_suppression_rule_created.toml
- rules/integrations/azure/discovery_blob_container_access_mod.toml
- rules/integrations/azure/execution_command_virtual_machine.toml
- rules/integrations/azure/impact_azure_service_principal_credentials_added.toml
- rules/integrations/azure/impact_kubernetes_pod_deleted.toml
- rules/integrations/azure/impact_resource_group_deletion.toml
- rules/integrations/azure/impact_virtual_network_device_modified.toml
- rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin.toml
- rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
- rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml
- rules/integrations/azure/initial_access_consent_grant_attack_via_azure_registered_application.toml
- rules/integrations/azure/initial_access_external_guest_user_invite.toml
- rules/integrations/azure/persistence_azure_automation_account_created.toml
- rules/integrations/azure/persistence_azure_automation_runbook_created_or_modified.toml
- rules/integrations/azure/persistence_azure_automation_webhook_created.toml
- rules/integrations/azure/persistence_azure_conditional_access_policy_modified.toml
- rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
- rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml
- rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml
- rules/integrations/azure/persistence_mfa_disabled_for_azure_user.toml
- rules/integrations/azure/persistence_user_added_as_owner_for_azure_application.toml
- rules/integrations/azure/persistence_user_added_as_owner_for_azure_service_principal.toml
- rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_created.toml
- rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_error_audit_event_promotion.toml
- rules/integrations/cyberarkpas/privilege_escalation_cyberarkpas_recommended_events_to_monitor_promotion.toml
- rules/integrations/endpoint/elastic_endpoint_security.toml
- rules/integrations/gcp/collection_gcp_pub_sub_subscription_creation.toml
- rules/integrations/gcp/collection_gcp_pub_sub_topic_creation.toml
- rules/integrations/gcp/defense_evasion_gcp_firewall_rule_created.toml
- rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml
- rules/integrations/gcp/defense_evasion_gcp_firewall_rule_modified.toml
- rules/integrations/gcp/defense_evasion_gcp_logging_bucket_deletion.toml
- rules/integrations/gcp/defense_evasion_gcp_logging_sink_deletion.toml
- rules/integrations/gcp/defense_evasion_gcp_pub_sub_subscription_deletion.toml
- rules/integrations/gcp/defense_evasion_gcp_pub_sub_topic_deletion.toml
- rules/integrations/gcp/defense_evasion_gcp_storage_bucket_configuration_modified.toml
- rules/integrations/gcp/defense_evasion_gcp_storage_bucket_permissions_modified.toml
- rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_network_deleted.toml
- rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_created.toml
- rules/integrations/gcp/defense_evasion_gcp_virtual_private_cloud_route_deleted.toml
- rules/integrations/gcp/exfiltration_gcp_logging_sink_modification.toml
- rules/integrations/gcp/impact_gcp_iam_role_deletion.toml
- rules/integrations/gcp/impact_gcp_service_account_deleted.toml
- rules/integrations/gcp/impact_gcp_service_account_disabled.toml
- rules/integrations/gcp/impact_gcp_storage_bucket_deleted.toml
- rules/integrations/gcp/initial_access_gcp_iam_custom_role_creation.toml
- rules/integrations/gcp/persistence_gcp_iam_service_account_key_deletion.toml
- rules/integrations/gcp/persistence_gcp_key_created_for_service_account.toml
- rules/integrations/gcp/persistence_gcp_service_account_created.toml
- rules/integrations/gcp/privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml
- rules/integrations/google_workspace/defense_evasion_domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/impact_google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/persistence_application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
- rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
- rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
- rules/integrations/google_workspace/persistence_google_workspace_policy_modified.toml
- rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
- rules/integrations/google_workspace/persistence_mfa_disabled_for_google_workspace_organization.toml
- rules/integrations/kubernetes/discovery_suspicious_self_subject_review.toml
- rules/integrations/kubernetes/execution_user_exec_to_pod.toml
- rules/integrations/kubernetes/persistence_exposed_service_created_with_type_nodeport.toml
- rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostipc.toml
- rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostnetwork.toml
- rules/integrations/kubernetes/privilege_escalation_pod_created_with_hostpid.toml
- rules/integrations/kubernetes/privilege_escalation_pod_created_with_sensitive_hospath_volume.toml
- rules/integrations/kubernetes/privilege_escalation_privileged_pod_created.toml
- rules/integrations/o365/collection_microsoft_365_new_inbox_rule.toml
- rules/integrations/o365/credential_access_microsoft_365_brute_force_user_account_attempt.toml
- rules/integrations/o365/credential_access_microsoft_365_potential_password_spraying_attack.toml
- rules/integrations/o365/credential_access_user_excessive_sso_logon_errors.toml
- rules/integrations/o365/defense_evasion_microsoft_365_exchange_dlp_policy_removed.toml
- rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_policy_deletion.toml
- rules/integrations/o365/defense_evasion_microsoft_365_exchange_malware_filter_rule_mod.toml
- rules/integrations/o365/defense_evasion_microsoft_365_exchange_safe_attach_rule_disabled.toml
- rules/integrations/o365/defense_evasion_microsoft_365_mailboxauditbypassassociation.toml
- rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_creation.toml
- rules/integrations/o365/exfiltration_microsoft_365_exchange_transport_rule_mod.toml
- rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml
- rules/integrations/o365/impact_microsoft_365_unusual_volume_of_file_deletion.toml
- rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_policy_deletion.toml
- rules/integrations/o365/initial_access_microsoft_365_exchange_anti_phish_rule_mod.toml
- rules/integrations/o365/initial_access_microsoft_365_exchange_safelinks_disabled.toml
- rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml
- rules/integrations/o365/initial_access_o365_user_reported_phish_malware.toml
- rules/integrations/o365/lateral_movement_malware_uploaded_onedrive.toml
- rules/integrations/o365/lateral_movement_malware_uploaded_sharepoint.toml
- rules/integrations/o365/persistence_exchange_suspicious_mailbox_right_delegation.toml
- rules/integrations/o365/persistence_microsoft_365_exchange_dkim_signing_config_disabled.toml
- rules/integrations/o365/persistence_microsoft_365_exchange_management_role_assignment.toml
- rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
- rules/integrations/o365/persistence_microsoft_365_teams_custom_app_interaction_allowed.toml
- rules/integrations/o365/persistence_microsoft_365_teams_external_access_enabled.toml
- rules/integrations/o365/persistence_microsoft_365_teams_guest_access_enabled.toml
- rules/integrations/o365/privilege_escalation_new_or_modified_federation_domain.toml
- rules/integrations/okta/credential_access_attempted_bypass_of_okta_mfa.toml
- rules/integrations/okta/credential_access_attempts_to_brute_force_okta_user_account.toml
- rules/integrations/okta/credential_access_mfa_push_brute_force.toml
- rules/integrations/okta/credential_access_okta_brute_force_or_password_spraying.toml
- rules/integrations/okta/credential_access_user_impersonation_access.toml
- rules/integrations/okta/defense_evasion_attempt_to_deactivate_okta_network_zone.toml
- rules/integrations/okta/defense_evasion_attempt_to_delete_okta_network_zone.toml
- rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy.toml
- rules/integrations/okta/defense_evasion_okta_attempt_to_deactivate_okta_policy_rule.toml
- rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy.toml
- rules/integrations/okta/defense_evasion_okta_attempt_to_delete_okta_policy_rule.toml
- rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_network_zone.toml
- rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy.toml
- rules/integrations/okta/defense_evasion_okta_attempt_to_modify_okta_policy_rule.toml
- rules/integrations/okta/defense_evasion_suspicious_okta_user_password_reset_or_unlock_attempts.toml
- rules/integrations/okta/impact_attempt_to_revoke_okta_api_token.toml
- rules/integrations/okta/impact_okta_attempt_to_deactivate_okta_application.toml
- rules/integrations/okta/impact_okta_attempt_to_delete_okta_application.toml
- rules/integrations/okta/impact_okta_attempt_to_modify_okta_application.toml
- rules/integrations/okta/impact_possible_okta_dos_attack.toml
- rules/integrations/okta/initial_access_okta_user_attempted_unauthorized_access.toml
- rules/integrations/okta/initial_access_suspicious_activity_reported_by_okta_user.toml
- rules/integrations/okta/okta_threat_detected_by_okta_threatinsight.toml
- rules/integrations/okta/persistence_administrator_privileges_assigned_to_okta_group.toml
- rules/integrations/okta/persistence_administrator_role_assigned_to_okta_user.toml
- rules/integrations/okta/persistence_attempt_to_create_okta_api_token.toml
- rules/integrations/okta/persistence_attempt_to_deactivate_mfa_for_okta_user_account.toml
- rules/integrations/okta/persistence_attempt_to_reset_mfa_factors_for_okta_user_account.toml
- rules/integrations/okta/persistence_okta_attempt_to_modify_or_delete_application_sign_on_policy.toml
- rules/linux/command_and_control_connection_attempt_by_non_ssh_root_session.toml
- rules/linux/command_and_control_linux_iodine_activity.toml
- rules/linux/command_and_control_tunneling_via_earthworm.toml
- rules/linux/credential_access_collection_sensitive_files.toml
- rules/linux/credential_access_ssh_backdoor_log.toml
- rules/linux/defense_evasion_attempt_to_disable_syslog_service.toml
- rules/linux/defense_evasion_base16_or_base32_encoding_or_decoding_activity.toml
- rules/linux/defense_evasion_chattr_immutable_file.toml
- rules/linux/defense_evasion_disable_selinux_attempt.toml
- rules/linux/defense_evasion_file_deletion_via_shred.toml
- rules/linux/defense_evasion_file_mod_writable_dir.toml
- rules/linux/defense_evasion_hidden_file_dir_tmp.toml
- rules/linux/defense_evasion_hidden_shared_object.toml
- rules/linux/defense_evasion_kernel_module_removal.toml
- rules/linux/defense_evasion_log_files_deleted.toml
- rules/linux/discovery_kernel_module_enumeration.toml
- rules/linux/discovery_linux_hping_activity.toml
- rules/linux/discovery_linux_nping_activity.toml
- rules/linux/discovery_virtual_machine_fingerprinting.toml
- rules/linux/execution_abnormal_process_id_file_created.toml
- rules/linux/execution_linux_netcat_network_connection.toml
- rules/linux/execution_perl_tty_shell.toml
- rules/linux/execution_process_started_from_process_id_file.toml
- rules/linux/execution_process_started_in_shared_memory_directory.toml
- rules/linux/execution_python_tty_shell.toml
- rules/linux/execution_shell_evasion_linux_binary.toml
- rules/linux/execution_tc_bpf_filter.toml
- rules/linux/impact_process_kill_threshold.toml
- rules/linux/lateral_movement_telnet_network_activity_external.toml
- rules/linux/lateral_movement_telnet_network_activity_internal.toml
- rules/linux/persistence_chkconfig_service_add.toml
- rules/linux/persistence_credential_access_modify_ssh_binaries.toml
- rules/linux/persistence_dynamic_linker_backup.toml
- rules/linux/persistence_etc_file_creation.toml
- rules/linux/persistence_insmod_kernel_module_load.toml
- rules/linux/persistence_kde_autostart_modification.toml
- rules/linux/persistence_shell_activity_by_web_server.toml
- rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml
- rules/linux/privilege_escalation_pkexec_envar_hijack.toml
- rules/macos/credential_access_access_to_browser_credentials_procargs.toml
- rules/macos/credential_access_credentials_keychains.toml
- rules/macos/credential_access_dumping_hashes_bi_cmds.toml
- rules/macos/credential_access_dumping_keychain_security.toml
- rules/macos/credential_access_kerberosdump_kcc.toml
- rules/macos/credential_access_keychain_pwd_retrieval_security_cmd.toml
- rules/macos/credential_access_mitm_localhost_webproxy.toml
- rules/macos/credential_access_potential_ssh_bruteforce.toml
- rules/macos/credential_access_promt_for_pwd_via_osascript.toml
- rules/macos/credential_access_systemkey_dumping.toml
- rules/macos/defense_evasion_apple_softupdates_modification.toml
- rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
- rules/macos/defense_evasion_attempt_to_disable_gatekeeper.toml
- rules/macos/defense_evasion_install_root_certificate.toml
- rules/macos/defense_evasion_modify_environment_launchctl.toml
- rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml
- rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml
- rules/macos/defense_evasion_safari_config_change.toml
- rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml
- rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml
- rules/macos/defense_evasion_unload_endpointsecurity_kext.toml
- rules/macos/discovery_users_domain_built_in_commands.toml
- rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml
- rules/macos/execution_initial_access_suspicious_browser_childproc.toml
- rules/macos/execution_installer_package_spawned_network_event.toml
- rules/macos/execution_script_via_automator_workflows.toml
- rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml
- rules/macos/execution_shell_execution_via_apple_scripting.toml
- rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
- rules/macos/lateral_movement_credential_access_kerberos_bifrostconsole.toml
- rules/macos/lateral_movement_mounting_smb_share.toml
- rules/macos/lateral_movement_remote_ssh_login_enabled.toml
- rules/macos/lateral_movement_vpn_connection_attempt.toml
- rules/macos/persistence_account_creation_hide_at_logon.toml
- rules/macos/persistence_creation_change_launch_agents_file.toml
- rules/macos/persistence_creation_hidden_login_item_osascript.toml
- rules/macos/persistence_creation_modif_launch_deamon_sequence.toml
- rules/macos/persistence_credential_access_authorization_plugin_creation.toml
- rules/macos/persistence_crontab_creation.toml
- rules/macos/persistence_defense_evasion_hidden_launch_agent_deamon_logonitem_process.toml
- rules/macos/persistence_directory_services_plugins_modification.toml
- rules/macos/persistence_docker_shortcuts_plist_modification.toml
- rules/macos/persistence_emond_rules_file_creation.toml
- rules/macos/persistence_emond_rules_process_execution.toml
- rules/macos/persistence_enable_root_account.toml
- rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml
- rules/macos/persistence_finder_sync_plugin_pluginkit.toml
- rules/macos/persistence_folder_action_scripts_runtime.toml
- rules/macos/persistence_login_logout_hooks_defaults.toml
- rules/macos/persistence_loginwindow_plist_modification.toml
- rules/macos/persistence_modification_sublime_app_plugin_or_script.toml
- rules/macos/persistence_periodic_tasks_file_mdofiy.toml
- rules/macos/persistence_screensaver_engine_unexpected_child_process.toml
- rules/macos/persistence_screensaver_plist_file_modification.toml
- rules/macos/persistence_suspicious_calendar_modification.toml
- rules/macos/persistence_via_atom_init_file_modification.toml
- rules/macos/privilege_escalation_applescript_with_admin_privs.toml
- rules/macos/privilege_escalation_explicit_creds_via_scripting.toml
- rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml
- rules/macos/privilege_escalation_local_user_added_to_admin.toml
- rules/macos/privilege_escalation_root_crontab_filemod.toml
- rules/ml/command_and_control_ml_packetbeat_dns_tunneling.toml
- rules/ml/command_and_control_ml_packetbeat_rare_dns_question.toml
- rules/ml/command_and_control_ml_packetbeat_rare_urls.toml
- rules/ml/command_and_control_ml_packetbeat_rare_user_agent.toml
- rules/ml/credential_access_ml_auth_spike_in_failed_logon_events.toml
- rules/ml/credential_access_ml_auth_spike_in_logon_events.toml
- rules/ml/credential_access_ml_auth_spike_in_logon_events_from_a_source_ip.toml
- rules/ml/credential_access_ml_linux_anomalous_metadata_process.toml
- rules/ml/credential_access_ml_linux_anomalous_metadata_user.toml
- rules/ml/credential_access_ml_suspicious_login_activity.toml
- rules/ml/credential_access_ml_windows_anomalous_metadata_process.toml
- rules/ml/credential_access_ml_windows_anomalous_metadata_user.toml
- rules/ml/discovery_ml_linux_system_information_discovery.toml
- rules/ml/discovery_ml_linux_system_network_configuration_discovery.toml
- rules/ml/discovery_ml_linux_system_network_connection_discovery.toml
- rules/ml/discovery_ml_linux_system_process_discovery.toml
- rules/ml/discovery_ml_linux_system_user_discovery.toml
- rules/ml/execution_ml_windows_anomalous_script.toml
- rules/ml/initial_access_ml_auth_rare_hour_for_a_user_to_logon.toml
- rules/ml/initial_access_ml_auth_rare_source_ip_for_a_user.toml
- rules/ml/initial_access_ml_auth_rare_user_logon.toml
- rules/ml/initial_access_ml_linux_anomalous_user_name.toml
- rules/ml/initial_access_ml_windows_anomalous_user_name.toml
- rules/ml/initial_access_ml_windows_rare_user_type10_remote_login.toml
- rules/ml/ml_high_count_network_denies.toml
- rules/ml/ml_high_count_network_events.toml
- rules/ml/ml_linux_anomalous_network_activity.toml
- rules/ml/ml_linux_anomalous_network_port_activity.toml
- rules/ml/ml_packetbeat_rare_server_domain.toml
- rules/ml/ml_rare_destination_country.toml
- rules/ml/ml_spike_in_traffic_to_a_country.toml
- rules/ml/ml_windows_anomalous_network_activity.toml
- rules/ml/persistence_ml_linux_anomalous_process_all_hosts.toml
- rules/ml/persistence_ml_rare_process_by_host_linux.toml
- rules/ml/persistence_ml_rare_process_by_host_windows.toml
- rules/ml/persistence_ml_windows_anomalous_path_activity.toml
- rules/ml/persistence_ml_windows_anomalous_process_all_hosts.toml
- rules/ml/persistence_ml_windows_anomalous_process_creation.toml
- rules/ml/persistence_ml_windows_anomalous_service.toml
- rules/ml/privilege_escalation_ml_linux_anomalous_sudo_activity.toml
- rules/ml/privilege_escalation_ml_windows_rare_user_runas_event.toml
- rules/ml/resource_development_ml_linux_anomalous_compiler_activity.toml
- rules/network/command_and_control_cobalt_strike_beacon.toml
- rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
- rules/network/command_and_control_download_rar_powershell_from_internet.toml
- rules/network/command_and_control_fin7_c2_behavior.toml
- rules/network/command_and_control_halfbaked_beacon.toml
- rules/network/command_and_control_nat_traversal_port_activity.toml
- rules/network/command_and_control_port_26_activity.toml
- rules/network/command_and_control_rdp_remote_desktop_protocol_from_the_internet.toml
- rules/network/command_and_control_telnet_port_activity.toml
- rules/network/command_and_control_vnc_virtual_network_computing_from_the_internet.toml
- rules/network/command_and_control_vnc_virtual_network_computing_to_the_internet.toml
- rules/network/initial_access_rpc_remote_procedure_call_from_the_internet.toml
- rules/network/initial_access_rpc_remote_procedure_call_to_the_internet.toml
- rules/network/initial_access_smb_windows_file_sharing_activity_to_the_internet.toml
- rules/network/initial_access_unsecure_elasticsearch_node.toml
- rules/promotions/credential_access_endgame_cred_dumping_detected.toml
- rules/promotions/credential_access_endgame_cred_dumping_prevented.toml
- rules/promotions/endgame_adversary_behavior_detected.toml
- rules/promotions/endgame_malware_detected.toml
- rules/promotions/endgame_malware_prevented.toml
- rules/promotions/endgame_ransomware_detected.toml
- rules/promotions/endgame_ransomware_prevented.toml
- rules/promotions/execution_endgame_exploit_detected.toml
- rules/promotions/execution_endgame_exploit_prevented.toml
- rules/promotions/external_alerts.toml
- rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml
- rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml
- rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml
- rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml
- rules/promotions/privilege_escalation_endgame_process_injection_detected.toml
- rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml
- rules/windows/collection_email_powershell_exchange_mailbox.toml
- rules/windows/collection_posh_audio_capture.toml
- rules/windows/collection_posh_keylogger.toml
- rules/windows/collection_posh_screen_grabber.toml
- rules/windows/collection_winrar_encryption.toml
- rules/windows/command_and_control_certutil_network_connection.toml
- rules/windows/command_and_control_common_webservices.toml
- rules/windows/command_and_control_dns_tunneling_nslookup.toml
- rules/windows/command_and_control_encrypted_channel_freesslcert.toml
- rules/windows/command_and_control_iexplore_via_com.toml
- rules/windows/command_and_control_port_forwarding_added_registry.toml
- rules/windows/command_and_control_rdp_tunnel_plink.toml
- rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
- rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
- rules/windows/command_and_control_remote_file_copy_powershell.toml
- rules/windows/command_and_control_remote_file_copy_scripts.toml
- rules/windows/command_and_control_sunburst_c2_activity_detected.toml
- rules/windows/command_and_control_teamviewer_remote_file_copy.toml
- rules/windows/credential_access_cmdline_dump_tool.toml
- rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
- rules/windows/credential_access_credential_dumping_msbuild.toml
- rules/windows/credential_access_dcsync_replication_rights.toml
- rules/windows/credential_access_disable_kerberos_preauth.toml
- rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
- rules/windows/credential_access_dump_registry_hives.toml
- rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
- rules/windows/credential_access_iis_connectionstrings_dumping.toml
- rules/windows/credential_access_kerberoasting_unusual_process.toml
- rules/windows/credential_access_lsass_handle_via_malseclogon.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/credential_access_lsass_memdump_handle_access.toml
- rules/windows/credential_access_mimikatz_memssp_default_logs.toml
- rules/windows/credential_access_mimikatz_powershell_module.toml
- rules/windows/credential_access_mod_wdigest_security_provider.toml
- rules/windows/credential_access_moving_registry_hive_via_smb.toml
- rules/windows/credential_access_persistence_network_logon_provider_modification.toml
- rules/windows/credential_access_posh_minidump.toml
- rules/windows/credential_access_posh_request_ticket.toml
- rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml
- rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml
- rules/windows/credential_access_remote_sam_secretsdump.toml
- rules/windows/credential_access_saved_creds_vaultcmd.toml
- rules/windows/credential_access_seenabledelegationprivilege_assigned_to_user.toml
- rules/windows/credential_access_shadow_credentials.toml
- rules/windows/credential_access_spn_attribute_modified.toml
- rules/windows/credential_access_suspicious_comsvcs_imageload.toml
- rules/windows/credential_access_suspicious_lsass_access_memdump.toml
- rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml
- rules/windows/credential_access_suspicious_winreg_access_via_sebackup_priv.toml
- rules/windows/credential_access_symbolic_link_to_shadow_copy_created.toml
- rules/windows/credential_access_via_snapshot_lsass_clone_creation.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_amsienable_key_mod.toml
- rules/windows/defense_evasion_clearing_windows_console_history.toml
- rules/windows/defense_evasion_clearing_windows_event_logs.toml
- rules/windows/defense_evasion_clearing_windows_security_logs.toml
- rules/windows/defense_evasion_create_mod_root_certificate.toml
- rules/windows/defense_evasion_cve_2020_0601.toml
- rules/windows/defense_evasion_defender_disabled_via_registry.toml
- rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
- rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
- rules/windows/defense_evasion_disable_posh_scriptblocklogging.toml
- rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
- rules/windows/defense_evasion_disabling_windows_defender_powershell.toml
- rules/windows/defense_evasion_disabling_windows_logs.toml
- rules/windows/defense_evasion_dns_over_https_enabled.toml
- rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
- rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
- rules/windows/defense_evasion_enable_network_discovery_with_netsh.toml
- rules/windows/defense_evasion_execution_control_panel_suspicious_args.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
- rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
- rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
- rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
- rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
- rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
- rules/windows/defense_evasion_execution_windefend_unusual_path.toml
- rules/windows/defense_evasion_file_creation_mult_extension.toml
- rules/windows/defense_evasion_from_unusual_directory.toml
- rules/windows/defense_evasion_hide_encoded_executable_registry.toml
- rules/windows/defense_evasion_iis_httplogging_disabled.toml
- rules/windows/defense_evasion_injection_msbuild.toml
- rules/windows/defense_evasion_installutil_beacon.toml
- rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
- rules/windows/defense_evasion_masquerading_renamed_autoit.toml
- rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
- rules/windows/defense_evasion_masquerading_trusted_directory.toml
- rules/windows/defense_evasion_masquerading_werfault.toml
- rules/windows/defense_evasion_microsoft_defender_tampering.toml
- rules/windows/defense_evasion_misc_lolbin_connecting_to_the_internet.toml
- rules/windows/defense_evasion_ms_office_suspicious_regmod.toml
- rules/windows/defense_evasion_msbuild_making_network_connections.toml
- rules/windows/defense_evasion_mshta_beacon.toml
- rules/windows/defense_evasion_msxsl_network.toml
- rules/windows/defense_evasion_network_connection_from_windows_binary.toml
- rules/windows/defense_evasion_parent_process_pid_spoofing.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/defense_evasion_posh_process_injection.toml
- rules/windows/defense_evasion_potential_processherpaderping.toml
- rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml
- rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
- rules/windows/defense_evasion_proxy_execution_via_msdt.toml
- rules/windows/defense_evasion_rundll32_no_arguments.toml
- rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
- rules/windows/defense_evasion_sdelete_like_filename_rename.toml
- rules/windows/defense_evasion_sip_provider_mod.toml
- rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/defense_evasion_suspicious_execution_from_mounted_device.toml
- rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
- rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml
- rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
- rules/windows/defense_evasion_suspicious_scrobj_load.toml
- rules/windows/defense_evasion_suspicious_short_program_name.toml
- rules/windows/defense_evasion_suspicious_wmi_script.toml
- rules/windows/defense_evasion_suspicious_zoom_child_process.toml
- rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
- rules/windows/defense_evasion_unusual_ads_file_creation.toml
- rules/windows/defense_evasion_unusual_dir_ads.toml
- rules/windows/defense_evasion_unusual_network_connection_via_dllhost.toml
- rules/windows/defense_evasion_unusual_network_connection_via_rundll32.toml
- rules/windows/defense_evasion_unusual_process_network_connection.toml
- rules/windows/defense_evasion_unusual_system_vp_child_program.toml
- rules/windows/defense_evasion_via_filter_manager.toml
- rules/windows/defense_evasion_workfolders_control_execution.toml
- rules/windows/discovery_adfind_command_activity.toml
- rules/windows/discovery_admin_recon.toml
- rules/windows/discovery_command_system_account.toml
- rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml
- rules/windows/discovery_net_view.toml
- rules/windows/discovery_peripheral_device.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_post_exploitation_external_ip_lookup.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/discovery_remote_system_discovery_commands_windows.toml
- rules/windows/discovery_security_software_wmic.toml
- rules/windows/discovery_whoami_command_activity.toml
- rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
- rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
- rules/windows/execution_com_object_xwizard.toml
- rules/windows/execution_command_prompt_connecting_to_the_internet.toml
- rules/windows/execution_command_shell_started_by_svchost.toml
- rules/windows/execution_command_shell_started_by_unusual_process.toml
- rules/windows/execution_command_shell_via_rundll32.toml
- rules/windows/execution_enumeration_via_wmiprvse.toml
- rules/windows/execution_from_unusual_path_cmdline.toml
- rules/windows/execution_html_help_executable_program_connecting_to_the_internet.toml
- rules/windows/execution_ms_office_written_file.toml
- rules/windows/execution_pdf_written_file.toml
- rules/windows/execution_posh_portable_executable.toml
- rules/windows/execution_posh_psreflect.toml
- rules/windows/execution_psexec_lateral_movement_command.toml
- rules/windows/execution_register_server_program_connecting_to_the_internet.toml
- rules/windows/execution_scheduled_task_powershell_source.toml
- rules/windows/execution_shared_modules_local_sxs_dll.toml
- rules/windows/execution_suspicious_cmd_wmi.toml
- rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
- rules/windows/execution_suspicious_pdf_reader.toml
- rules/windows/execution_suspicious_powershell_imgload.toml
- rules/windows/execution_suspicious_psexesvc.toml
- rules/windows/execution_via_compiled_html_file.toml
- rules/windows/execution_via_hidden_shell_conhost.toml
- rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
- rules/windows/impact_backup_file_deletion.toml
- rules/windows/impact_deleting_backup_catalogs_with_wbadmin.toml
- rules/windows/impact_modification_of_boot_config.toml
- rules/windows/impact_stop_process_service_threshold.toml
- rules/windows/impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml
- rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml
- rules/windows/impact_volume_shadow_copy_deletion_via_wmic.toml
- rules/windows/initial_access_evasion_suspicious_htm_file_creation.toml
- rules/windows/initial_access_script_executing_powershell.toml
- rules/windows/initial_access_scripts_process_started_via_wmi.toml
- rules/windows/initial_access_suspicious_ms_exchange_files.toml
- rules/windows/initial_access_suspicious_ms_exchange_process.toml
- rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml
- rules/windows/initial_access_suspicious_ms_office_child_process.toml
- rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
- rules/windows/initial_access_unusual_dns_service_children.toml
- rules/windows/initial_access_unusual_dns_service_file_writes.toml
- rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
- rules/windows/lateral_movement_cmd_service.toml
- rules/windows/lateral_movement_dcom_hta.toml
- rules/windows/lateral_movement_dcom_mmc20.toml
- rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml
- rules/windows/lateral_movement_defense_evasion_lanman_nullsessionpipe_modification.toml
- rules/windows/lateral_movement_direct_outbound_smb_connection.toml
- rules/windows/lateral_movement_dns_server_overflow.toml
- rules/windows/lateral_movement_evasion_rdp_shadowing.toml
- rules/windows/lateral_movement_executable_tool_transfer_smb.toml
- rules/windows/lateral_movement_execution_from_tsclient_mup.toml
- rules/windows/lateral_movement_execution_via_file_shares_sequence.toml
- rules/windows/lateral_movement_incoming_winrm_shell_execution.toml
- rules/windows/lateral_movement_incoming_wmi.toml
- rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
- rules/windows/lateral_movement_powershell_remoting_target.toml
- rules/windows/lateral_movement_rdp_enabled_registry.toml
- rules/windows/lateral_movement_rdp_sharprdp_target.toml
- rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
- rules/windows/lateral_movement_remote_services.toml
- rules/windows/lateral_movement_scheduled_task_target.toml
- rules/windows/lateral_movement_service_control_spawned_script_int.toml
- rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
- rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
- rules/windows/persistence_ad_adminsdholder.toml
- rules/windows/persistence_adobe_hijack_persistence.toml
- rules/windows/persistence_app_compat_shim.toml
- rules/windows/persistence_appcertdlls_registry.toml
- rules/windows/persistence_appinitdlls_registry.toml
- rules/windows/persistence_dontexpirepasswd_account.toml
- rules/windows/persistence_evasion_hidden_local_account_creation.toml
- rules/windows/persistence_evasion_registry_ifeo_injection.toml
- rules/windows/persistence_evasion_registry_startup_shell_folder_modified.toml
- rules/windows/persistence_gpo_schtask_service_creation.toml
- rules/windows/persistence_local_scheduled_job_creation.toml
- rules/windows/persistence_local_scheduled_task_creation.toml
- rules/windows/persistence_local_scheduled_task_scripting.toml
- rules/windows/persistence_ms_office_addins_file.toml
- rules/windows/persistence_ms_outlook_vba_template.toml
- rules/windows/persistence_msds_alloweddelegateto_krbtgt.toml
- rules/windows/persistence_powershell_exch_mailbox_activesync_add_device.toml
- rules/windows/persistence_priv_escalation_via_accessibility_features.toml
- rules/windows/persistence_registry_uncommon.toml
- rules/windows/persistence_remote_password_reset.toml
- rules/windows/persistence_run_key_and_startup_broad.toml
- rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
- rules/windows/persistence_sdprop_exclusion_dsheuristics.toml
- rules/windows/persistence_services_registry.toml
- rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
- rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml
- rules/windows/persistence_startup_folder_scripts.toml
- rules/windows/persistence_suspicious_com_hijack_registry.toml
- rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
- rules/windows/persistence_suspicious_scheduled_task_runtime.toml
- rules/windows/persistence_suspicious_service_created_registry.toml
- rules/windows/persistence_system_shells_via_services.toml
- rules/windows/persistence_time_provider_mod.toml
- rules/windows/persistence_user_account_added_to_privileged_group_ad.toml
- rules/windows/persistence_user_account_creation.toml
- rules/windows/persistence_via_application_shimming.toml
- rules/windows/persistence_via_bits_job_notify_command.toml
- rules/windows/persistence_via_hidden_run_key_valuename.toml
- rules/windows/persistence_via_lsa_security_support_provider_registry.toml
- rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
- rules/windows/persistence_via_update_orchestrator_service_hijack.toml
- rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
- rules/windows/persistence_via_wmi_stdregprov_run_services.toml
- rules/windows/persistence_webshell_detection.toml
- rules/windows/privilege_escalation_disable_uac_registry.toml
- rules/windows/privilege_escalation_group_policy_iniscript.toml
- rules/windows/privilege_escalation_group_policy_privileged_groups.toml
- rules/windows/privilege_escalation_group_policy_scheduled_task.toml
- rules/windows/privilege_escalation_installertakeover.toml
- rules/windows/privilege_escalation_krbrelayup_service_creation.toml
- rules/windows/privilege_escalation_lsa_auth_package.toml
- rules/windows/privilege_escalation_named_pipe_impersonation.toml
- rules/windows/privilege_escalation_persistence_phantom_dll.toml
- rules/windows/privilege_escalation_port_monitor_print_pocessor_abuse.toml
- rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml
- rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
- rules/windows/privilege_escalation_printspooler_suspicious_file_deletion.toml
- rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
- rules/windows/privilege_escalation_rogue_windir_environment_var.toml
- rules/windows/privilege_escalation_samaccountname_spoofing_attack.toml
- rules/windows/privilege_escalation_suspicious_dnshostname_update.toml
- rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
- rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
- rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
- rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
- rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
- rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
- rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
- rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
- rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
- rules/windows/privilege_escalation_unusual_printspooler_childprocess.toml
- rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
- rules/windows/privilege_escalation_via_rogue_named_pipe.toml
- rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

(selectively cherry picked from commit 46d5e37b76)
 2022-08-24 16:39:50 +00:00
Jonhnathan 3984f6e9cf [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#2240) 
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 6631c4927d)
 2022-08-23 12:44:20 +00:00
Jonhnathan 7a2d7237b6 [Security Content] Add Investigation Guides - Cloud - 3 (#2132) 
* [Security Content] Add Investigation Guides - Cloud - 3

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Update rules/integrations/aws/defense_evasion_cloudtrail_logging_suspended.toml

* update dates

* Apply suggestions from review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

Removed changes from:
- rules/integrations/google_workspace/impact_google_workspace_mfa_enforcement_disabled.toml

(selectively cherry picked from commit 91c00fd442)
 2022-07-27 18:41:05 +00:00
Terrance DeJesus 141b00ec41 [Rule Tuning] Missing MITRE ATT&CK Mappings (#2073) 
* initial commit with eggshell mitre mapping added

* adding updated rules

* [Rule Tuning] MITRE for GCP rules

I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.

* [Rule Tuning] Endgame Rule name updates for Mitre

Updated Endgame rule names for those with Mitre tactics to match the tactics.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* adding 10 updated rules for google_workspace, ml and o365

* adding 22 rule updates for mitre att&ck mappings

* adding 24 rule updates related mainly to ML rules

* adding 3 rules related to detection via ML

* adding adjustments

* adding adjustments with solutions to recent pytest errors

* removed tabs from tags

* adjusted mappings and added techniques

* adjusted endgame rule mappings per review

* adjusted names to match different tactics

* added execution and defense evasion tag

* adjustments to address errors from merging with main

* added newlines to rules missing them at the end of the file

Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Removed changes from:
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/ml/ml_linux_anomalous_compiler_activity.toml
- rules/ml/ml_linux_anomalous_metadata_process.toml
- rules/ml/ml_linux_anomalous_metadata_user.toml
- rules/ml/ml_linux_anomalous_process_all_hosts.toml
- rules/ml/ml_linux_anomalous_sudo_activity.toml
- rules/ml/ml_linux_anomalous_user_name.toml
- rules/ml/ml_linux_system_information_discovery.toml
- rules/ml/ml_linux_system_network_configuration_discovery.toml
- rules/ml/ml_linux_system_network_connection_discovery.toml
- rules/ml/ml_linux_system_process_discovery.toml
- rules/ml/ml_linux_system_user_discovery.toml
- rules/ml/ml_rare_process_by_host_linux.toml
- rules/ml/ml_rare_process_by_host_windows.toml
- rules/ml/ml_suspicious_login_activity.toml
- rules/ml/ml_windows_anomalous_metadata_process.toml
- rules/ml/ml_windows_anomalous_metadata_user.toml
- rules/ml/ml_windows_anomalous_path_activity.toml
- rules/ml/ml_windows_anomalous_process_all_hosts.toml
- rules/ml/ml_windows_anomalous_process_creation.toml
- rules/ml/ml_windows_anomalous_script.toml
- rules/ml/ml_windows_anomalous_service.toml
- rules/ml/ml_windows_anomalous_user_name.toml
- rules/ml/ml_windows_rare_user_runas_event.toml
- rules/ml/ml_windows_rare_user_type10_remote_login.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml

(selectively cherry picked from commit e8c39d19a7)
 2022-07-22 18:31:42 +00:00
Jonhnathan cf4b6e6e1e [Security Content] Add Investigation Guides - Cloud - 2 (#2124) 
* [Security Content] Add Investigation Guides - Cloud - 2

* Replace config/setup

* Applies suggestions from review

* Update credential_access_aws_iam_assume_role_brute_force.toml

* Apply suggestions from code review

* Update credential_access_aws_iam_assume_role_brute_force.toml

* Apply suggestions from code review

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

Co-authored-by: nastasha-solomon <79124755+nastasha-solomon@users.noreply.github.com>

(cherry picked from commit 7ddae4b493)
 2022-07-22 17:33:44 +00:00
Terrance DeJesus fc26e83bfb removed googlecloud.audit from event datasets (#2105) 
(cherry picked from commit 9cefd88b90)
 2022-07-21 16:12:33 +00:00
Terrance DeJesus dd5501d167 [Rule Tuning] GCP Firewall Rules Should Include App Engine (#2107) 
* removed googlecloud.audit and added app engine event actions

* adjusted query for rule created

* adjusted queries to exclude v1

* Update rules/integrations/gcp/defense_evasion_gcp_firewall_rule_deleted.toml

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 5ff3844fbe)
 2022-07-21 15:57:30 +00:00
Jonhnathan edef90b3ec [Security Content] Add Investigation Guides to Cloud Rules - AWS (#2104) 
* [Security Content] Add Investigation Guides to Cloud Rules - AWS

* Apply suggestion from review

* Update rules/integrations/aws/exfiltration_ec2_snapshot_change_activity.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update rules/integrations/aws/impact_cloudwatch_log_stream_deletion.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Apply suggestions from review

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* .

* Applies suggestions from the https://github.com/elastic/detection-rules/pull/2124 PR

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

(cherry picked from commit d854b943e5)
 2022-07-20 15:30:04 +00:00
Mika Ayenson ec17d0b54d 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2022-07-18 20:15:19 -04:00
Mika Ayenson 62298d92f4 2058 add setup field to metadata (#2061) 
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/integrations/google_workspace/application_added_to_google_workspace_domain.toml
- rules/integrations/google_workspace/domain_added_to_google_workspace_trusted_domains.toml
- rules/integrations/google_workspace/google_workspace_admin_role_deletion.toml
- rules/integrations/google_workspace/google_workspace_mfa_enforcement_disabled.toml
- rules/integrations/google_workspace/google_workspace_policy_modified.toml
- rules/integrations/google_workspace/mfa_disabled_for_google_workspace_organization.toml
- rules/integrations/google_workspace/persistence_google_workspace_admin_role_assigned_to_user.toml
- rules/integrations/google_workspace/persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml
- rules/integrations/google_workspace/persistence_google_workspace_custom_admin_role_created.toml
- rules/integrations/google_workspace/persistence_google_workspace_role_modified.toml
- rules/integrations/kubernetes/execution_user_exec_to_pod.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit a52751494e)
 2022-07-18 21:25:32 +00:00
Jonhnathan 57194b8e59 [Rule Tuning] M365 - Remove event.outcome condition from Auth Events (#2004) 
* Remove event.outcome condition

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* Revert "Update credential_access_microsoft_365_brute_force_user_account_attempt.toml"

This reverts commit c7e7c976174a62e6b50139291e8f7f1a34e7beab.

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 3aa53fc6c5)
 2022-06-03 17:24:48 +00:00
Pete Hampton 6a5a59ad00 [New Rule] AWS Redshift Cluster Creation (#1921) 
* Add rule for Redshift data warehouse creation.

* Add fp block.

* Add AWS integration metadata.

* Add timestamp override.

* Add note.

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_redshift_instance_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update description for redshift instance creation.

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 34655374c1)
 2022-04-28 18:45:31 +00:00
Jonhnathan 3d9013a4c0 [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created (#1939) 
* [Rule Tuning] Microsoft 365 Inbox Forwarding Rule Created

* Update non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit f050b0ce0c)
 2022-04-27 12:12:47 +00:00
Jonhnathan e3c8981b63 Review & Fix Invalid References (#1936) 
(cherry picked from commit 20d2e92cfe)
 2022-04-26 20:59:20 +00:00
Isai dfa41821ef [Rule Tuning] AWS RDS Instance/Cluster Deletion (#1916) 
* add RDS instance deletion to aws rule

I've added to this rule to improve coverage. Currently we detect creation and stopping of RDS clusters and instances. But, we only detect for the deletion of clusters, not instances. This adds the deletion of RDS instances to the detection.

* Update rules/integrations/aws/impact_rds_instance_cluster_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9640ecb3fe)
 2022-04-10 19:35:26 +00:00
Isai b3e51520c4 [Rule Tuning] AWS Security Group Configuration Change Detection (#1915) 
* Update persistence_ec2_security_group_configuration_change_detection

Rule does not trigger as expected due to 'iam' provider. I changed the specified provider to 'ec2'.

* update to improve rule coverage

I edited this rule to include the deletion of an RDS Instance. This fills a current gap in coverage as we are able to detect the creation and stopping of RDS instances and clusters, but only detect deletion of RDS clusters.

* Revert "update to improve rule coverage"

This reverts commit b3b094274fe13c56908aa6781c8236de6e3b5380.

(cherry picked from commit 5073ef8be7)
 2022-04-07 18:49:16 +00:00
Justin Ibarra eeb8ab7744 Expand timestamp override tests (#1907) 
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields

Removed changes from:
- rules/cross-platform/impact_hosts_file_modified.toml
- rules/windows/credential_access_lsass_memdump_file_created.toml
- rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
- rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
- rules/windows/defense_evasion_suspicious_certutil_commands.toml
- rules/windows/execution_command_shell_started_by_svchost.toml

(selectively cherry picked from commit 6bdfddac8e)
 2022-04-01 23:28:54 +00:00
Colson Wilhoit 150ff0502e Linux Shell Evasion Rule Tuning (#1878) 
* Linux Shell Evasion Rule Tuning

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_apt_binary.toml

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

* Update execution_perl_tty_shell.toml

* Update execution_python_tty_shell.toml

* Update rules/linux/execution_apt_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_awk_binary_shell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_c89_c99_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_cpulimit_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_expect_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_find_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_gcc_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_mysql_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_nice_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/linux/execution_ssh_binary.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2022-03-29 21:03:35 -04:00