sigma-rules

Author	SHA1	Message	Date
Ruben Groenewoud	d41855a2ac	[New Rules] DDExec Analysis (#3408 ) * [New Rules] DDExec Analysis * Increased rule scope * [New Rule] Dynamic Linker Discovery via od * Revert "[New Rule] Dynamic Linker Discovery via od" This reverts commit c58595b77f517d3f236a64a52c38804253db64cc. * [New Rule] Dynamic Linker Discovery via od * [New Rule] Potential Memory Seeking Activity * [New BBR] Suspicious Memory grep Activity * Added endgame + auditd_manager support * Removed auditd_manager support for now * Removed auditd_manager support for now * Update discovery_suspicious_memory_grep_activity.toml --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-02-06 14:47:37 +01:00
Jonhnathan	8274f9a816	[Rule Tuning] Windows BBR Tuning - 1 (#3380 ) * [Rule Tuning] Windows BBR Tuning - 1 * . --------- Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2024-02-05 12:47:24 -03:00
Ruben Groenewoud	a66394c550	[New BBR] Reverse Connection through Port Knocking (#3219 ) * [New BBR] Reverse Connection through Port Knocking * Attempt to fix unit testing error * Mitre list fix? * Revert "Mitre list fix?" This reverts commit 83682b8a58c2954911495d218392a33ee0615db2. * Update command_and_control_linux_port_knocking_reverse_connection.toml * Update command_and_control_linux_port_knocking_reverse_connection.toml * Update rules_building_block/command_and_control_linux_port_knocking_reverse_connection.toml * Update command_and_control_linux_port_knocking_reverse_connection.toml * Update command_and_control_linux_port_knocking_reverse_connection.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2024-01-24 16:30:31 +01:00
Isai	442435830f	[New Rules] UEBA GItHub BBRs and Rules (#3174 ) * [New Rules] UEBA GItHub BBRs and Rules A new set of BBRs and rules that will be used to trigger new UEBA GitHub threshold Rules. * Update rules/integrations/github/impact_github_member_removed_from_organization.toml * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * edited BBR rules -removed newly added member rule * updated integration manifests and schemas * Updated min_stack for some rules based on newest GitHub integration schema manifest * testing min_stack bump to 8.8 for new fields * removing offending rule to troubleshoot seperately * added UEBA tags and created UEBA threshold rule * updated non-ecs-schema to add signal.rule.tags * updated non-ecs-schema with kibana.alert.workflow_status * updated rule.threat.tactic * added user.name to non-ecs-schema * added quotes to kibana.alert.workflow_status value * removed trailing space from rule name * update tags and optimize query for UEBA threshold rule * removed integration field from Higher-Order rule * Apply suggestions from code review Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> * adjusted new_terms order and rule types based on review feedback * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * remove user.name from detection_rules/etc/non-ecs-schema.json * fix json formatting --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2024-01-22 12:48:31 -05:00
shashank-elastic	1a2ef4b867	Linux Process Capabilities Enrichment Detection Rules (#3366 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com	2024-01-18 22:49:43 +05:30
Terrance DeJesus	1c10c37468	[Rule Tuning] Update `timestamp_override` Unit Tests and Fix Rules Missing Field (#3368 ) * updated timestamp override unit test; fixed rules missing this field * fixed flake error * simplified and consolidated logic * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update tests/test_all_rules.py Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * added comments * updated logic; added comments; removed unused variables * removed custom python script * updated dates * removed deprecated rule change * updated dates --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>	2024-01-17 14:14:38 -05:00
Ruben Groenewoud	b32733601a	[Rule Tuning] Linux BBR Tuning (#3347 ) * [Rule Tuning] Linux BBR Tuning * Update persistence_creation_of_kernel_module.toml	2023-12-19 20:17:53 +01:00
Ruben Groenewoud	91a757a018	[Security Content] Add Investigation Guides to Linux C2 Rules (#3247 ) * [Security Content] Add Investigation Guides to Linux C2 Rules * Applied feedback	2023-12-18 17:02:40 +01:00
Ruben Groenewoud	84824c67fd	[Tuning & New Rule] Linux Reverse Shell & DR Tuning (#3254 ) * [Rule Tuning & New Rule] Linux Reverse Shell * [Tuning & New Rule] Linux Reverse Shells * Name change * Update rules/linux/execution_shell_via_child_tcp_utility_linux.toml Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com> * Update execution_shell_via_child_tcp_utility_linux.toml * Update execution_shell_via_background_process.toml --------- Co-authored-by: shashank-elastic <91139415+shashank-elastic@users.noreply.github.com>	2023-12-18 09:36:21 +01:00
Justin Ibarra	a6c5cfc418	[Rule Tuning] Optimize query for Query Registry using Built-in Tools (#3330 ) * [Rule Tuning] Optimize query for Query Registry using Built-in Tools * reduce history window to 7d * use args vs command_line wildcards --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>	2023-12-14 19:55:36 -07:00
Jonhnathan	aeb1f91320	[Security Content] Introduce Investigate Plugin in Investigation Guides (#3080 ) * [Security Content] Introduce Investigate Plugin in Investigation Guides * Add compatibility note * Update Transform format * update transform unit tests for investigate * updated docs with transform --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-12-08 11:54:40 -07:00
Ruben Groenewoud	490fa0e1d2	[New Rule] Out-Of-Tree Kernel Module Load (#3233 ) * [New Rule] Out-Of-Tree Kernel Module Load * Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml * Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules_building_block/persistence_tainted_kernel_module_out_of_tree_load.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-12-07 22:53:21 +01:00
Ruben Groenewoud	07b1cab919	[New BBR] Pot. Persistence Through Systemd-udevd (#3235 ) * [New BBR] Persistence Through Systemd-udevd * Formatting change * Update rules_building_block/persistence_udev_rule_creation.toml * Update rules_building_block/persistence_udev_rule_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules_building_block/persistence_udev_rule_creation.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-12-07 22:42:29 +01:00
Ruben Groenewoud	38862b89e9	[Tuning] Small Linux DR Tuning (#3287 )	2023-12-07 12:45:24 +01:00
Ruben Groenewoud	dff4633dd4	[New BBR] Segfault Detected (#3240 ) * [New BBR] Segfault Detected * Update rules_building_block/execution_linux_segfault.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules_building_block/execution_linux_segfault.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-11-02 09:40:50 +01:00
Ruben Groenewoud	967f6a4c89	[New BBR] Kernel Driver Load (#3236 ) * [New BBR] Kernel Driver Load * added event.dataset to the query --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-11-02 09:32:38 +01:00
shashank-elastic	a568c56bc1	Move Config Guides for Pre-Built Detection Rules to Setup Field - Windows, MacOS, BBR and Cross Platform (#3157 )	2023-10-30 16:53:04 +05:30
Ruben Groenewoud	ad25c922fd	[Rule Tuning] Tainted Kernel Module Load (#3234 ) * [Rule Tuning] Tainted kernel module load * Update persistence_tainted_kernel_module_load.toml * Update rules_building_block/persistence_tainted_kernel_module_load.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-10-30 09:49:20 +01:00
Jonhnathan	a5240e4063	[Rule Tuning] Windows DR Tuning - 1 (#3198 ) * [Rule Tuning] Windows DR Tuning - 1 * Update collection_winrar_encryption.toml	2023-10-26 17:20:32 -03:00
Jonhnathan	6fcf26b20e	[Promote] Potential Masquerading as Communication Apps (#3181 ) * [Promote] Potential Masquerading as Communication Apps * Update defense_evasion_masquerading_communication_apps.toml * Update defense_evasion_masquerading_communication_apps.toml * Update rules/windows/defense_evasion_masquerading_communication_apps.toml * Update defense_evasion_masquerading_communication_apps.toml --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2023-10-23 14:56:03 -03:00
Ruben Groenewoud	9807bebd8e	[New BBR] Unix Socket Communication (#3072 ) * [New Rule] Unix Socket Communication * Update rules_building_block/execution_unix_socket_communication.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules_building_block/execution_unix_socket_communication.toml --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-10-23 17:18:48 +02:00
Ruben Groenewoud	024d45bd56	[New BBR] Tainted Kernel Module Load (#3211 ) * [New Rule] Tainted Kernel Module Load * added setup note * Fixed tag * added type change * timestamp override --------- Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>	2023-10-23 17:06:16 +02:00
Jonhnathan	18ff85ce84	[Promote] Expired or Revoked Driver Loaded (#3185 ) * [Promote] Expired or Revoked Driver Loaded * Update privilege_escalation_expired_driver_loaded.toml	2023-10-23 11:44:37 -03:00
Ruben Groenewoud	020fff3aea	[Rule Tuning] Linux Rules (#3092 ) * [Rule Tuning] [WIP] Linux DR * Update defense_evasion_binary_copied_to_suspicious_directory.toml * Fixed tag * Added additional tuning * unit test fix * Additional tuning * tuning * added max signals * Added max_signals=1 to brute force rules * Cross-Platform Tuning * Small fix * new_terms conversion * typo * new_terms conversion * Ransomware rule tuning * performance tuning * new_terms conversion for auditd_manager * tune * Need coffee * kql/eql stuff * formatting improvement * new_terms sudo hijacking conversion * exclusion * Deprecations that were added last tuning * Deprecations that were added last tuning * Increased max timespan for brute force rules * version bump * added domain tag * Two tunings * More tuning * Additional tuning * updated_date bump * query optimization * Tuning * Readded the exclusions for this one * Changed int comparison * Some tunings * Update persistence_systemd_scheduled_timer_created.toml * Update rules/linux/privilege_escalation_ld_preload_shared_object_modif.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * [New Rule] Potential curl CVE-2023-38545 Exploitation * Revert "[New Rule] Potential curl CVE-2023-38545 Exploitation" This reverts commit 9c04d1b53d3d63678289f43ec0c7b617d26f1ce0. * Update rules/cross-platform/command_and_control_non_standard_ssh_port.toml * Update rules/linux/command_and_control_cat_network_activity.toml * Update persistence_message_of_the_day_execution.toml * Changed max_signals * Revert "Merge branch 'main' into rule-tuning-ongoing-dr" This reverts commit 1106b5d2eba1a3529eff325226d6baabfd4b0bf3, reversing changes made to 5ff510757f25b0cb32e1ef18e9e2c34c8ec325a8. * Revertable merge * Update defense_evasion_ld_preload_env_variable_process_injection.toml * File name change --------- Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-10-23 16:28:58 +02:00
Jonhnathan	74222f86eb	[New Rules] [BBR] Windows Deprecated ERs Conversion - 3 (#3143 ) * [New Rules] [BBR] Windows Deprecated ERs Conversion - 3 * Update defense_evasion_invalid_codesign_imageload.toml * Update defense_evasion_invalid_codesign_imageload.toml * Update rules_building_block/initial_access_execution_remote_via_msiexec.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/initial_access_xsl_script_execution_via_com.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> * Update rules_building_block/initial_access_execution_remote_via_msiexec.toml Co-authored-by: Isai <59296946+imays11@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>	2023-10-17 14:16:28 -03:00
Jonhnathan	3ea3e5a9fd	[New Rules] [BBR] Windows Deprecated ERs Conversion - 2 (#3138 ) * [New Rules] [BBR] Windows Deprecated ERs Conversion - 2 * Update defense_evasion_unsigned_bits_client.toml * Update rules_building_block/defense_evasion_suspicious_msiexec_execution.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * . --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-10-17 13:49:49 -03:00
Jonhnathan	32002fd89b	[New Rules] [BBR] Windows Deprecated ERs Conversion - 1 (#3131 ) * [New Rules] [BBR] Windows Deprecated ERs Conversion - 1 * . * . * Update defense_evasion_dotnet_clickonce_dfsvc_netcon.toml * .	2023-10-17 11:36:53 -03:00
Jonhnathan	a33a124eab	[New Rule] [BBR] Memory Dump File Rules (#3122 ) * [New Rule] Memory Dump File Rules * . * . * .	2023-10-17 09:35:38 -03:00
Jonhnathan	8035516e8e	[Rule Tuning] Potential Masquerading as Browser Process (#3180 ) * [Rule Tuning] Potential Masquerading as Browser Process * Update defense_evasion_masquerading_browsers.toml * Update defense_evasion_masquerading_browsers.toml	2023-10-17 08:53:37 -03:00
Jonhnathan	e4e68c2dd8	[Rule Tuning] Potential Masquerading as System32 DLL (#3184 ) Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-10-17 08:29:08 -03:00
Jonhnathan	f584fb6e31	[Security Content] Adjust Mitre Att&ck Mappings - Windows Rules (#3165 ) * [Security Content] Adjust Mitre Att&ck Mappings - Windows Rules * Fix dates * Fix unit test errors * updated tags and fixed branch conflicts updated tags and fixed branch conflicts * description nit * Reverting unintended changes * Update initial_access_suspicious_ms_office_child_process.toml --------- Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com>	2023-10-15 18:12:20 -03:00
Jonhnathan	3f2a709370	[Rule Tuning] PowerShell Rules Tuning (#3169 )	2023-10-11 17:57:32 -03:00
Justin Ibarra	7f8a9849c4	[New Rule] File Compressed or Archived into Common Format (#3173 ) * [New Rule] File Compressed or Archived into Common Format * new build-threat-map-entry-command --------- Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-10-11 11:34:34 -07:00
Ruben Groenewoud	c2822e175c	[Tuning] Windows Execution Rule Tuning for UEBA (#3107 ) * Update defense_evasion_execution_msbuild_started_by_script.toml * Mostly updated Execution tags, also new_terms conv * removed index * Removed index * WMIPrvSE tuning * Additional tuning * Tuning & changes * Additional tuning * Applied unit test optimization * Addressed feedback * Update rules/windows/execution_command_shell_started_by_svchost.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * caseless unit testing fix * fixed caseless executable unit test * unit testing fix * Update rules/windows/execution_suspicious_powershell_imgload.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update execution_ms_office_written_file.toml * Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml * Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml * Added user ids to new terms * Update rules/windows/execution_suspicious_powershell_imgload.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules_building_block/execution_unsigned_service_executable.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update execution_unsigned_service_executable.toml --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-10-11 10:15:29 +02:00
Ruben Groenewoud	4cdf52129a	[Tuning] Windows Discovery Rule Tuning for UEBA (#3097 ) * [Tuning] Win DR Tuning for UEBA * Need to get used to Windows formatting * Added additional content * Updated min stack * Added additional tuning * Fixed unit testing for KQL optimization * Update rules_building_block/discovery_internet_capabilities.toml * Additional tuning * Kuery optimization * Additional tuning * Additional tuning * Additional tuning * Additional tuning * Unit testing optimization fix * optimization * tuning * Optimization * Update rules/windows/discovery_privileged_localgroup_membership.toml * Added feedback * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/discovery_remote_system_discovery_commands_windows.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules/windows/discovery_system_service_discovery.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * added host.id as additional new_terms field * Reworked a lot. * kibana.alert.rule.rule_id to non-ecs-schema.json * Fixed index by adding a dot * fixed typo * Added host.os.type:windows for signals * Added additional tag * Added Higher-Order Rule tag * Stripped down signal rules down to two * revert * Update rules/windows/discovery_admin_recon.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules_building_block/discovery_generic_registry_query.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules_building_block/discovery_system_time_discovery.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update rules/windows/discovery_privileged_localgroup_membership.toml Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> * Update discovery_generic_registry_query.toml * Readded exclusions * Added trailing wildcards for KQL * Update discovery_privileged_localgroup_membership.toml * Update rules_building_block/discovery_signal_unusual_user_host.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Formatting fix --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-10-11 09:43:26 +02:00
Ruben Groenewoud	8f122197bb	[New BBR] Sus. Process Started via tmux or screen (#3071 ) * [New BBR] Sus. Process Started via tmux or screen * [New BBR] Unix Socket Connection * Revert "[New BBR] Unix Socket Connection" This reverts commit 92a0b09e8c505bceb1025124658bb4233d5d19d9. * Update rules_building_block/defense_evasion_sus_utility_executed_via_tmux_or_screen.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-09-30 12:57:18 +02:00
Jonhnathan	f77bec8552	[New Rule] [BBR] File with Suspicious Extension Downloaded (#3139 ) * [New Rule] [BBR] File with Suspicious Extension Downloaded * Update defense_evasion_download_susp_extension.toml	2023-09-27 12:37:11 -03:00
Jonhnathan	ddb1f75352	[New Rule] New BBR Rules - Part 2 (#3029 ) * [New Rule] New BBR Rules - Part 2 * Update discovery_generic_account_groups.toml * Update discovery_generic_account_groups.toml * Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/execution_downloaded_shortcut_files.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update rules_building_block/defense_evasion_unusual_process_extension.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> * Update defense_evasion_unusual_process_extension.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-09-12 21:49:22 -03:00
Jonhnathan	af99186992	[New Rule] New BBR Rules - Part 3 (#3034 ) * [New Rule] New BBR Rules - Part 3 * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>	2023-09-12 21:28:01 -03:00
Jonhnathan	3614f42b00	[New Rule] New BBR Rules - Part 5 (#3052 ) * [New Rule] New BBR Rules - Part 5 * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Tag work --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-09-05 18:36:34 -03:00
Jonhnathan	8049c96281	[New Rule] New BBR Rules - Part 1 (#3026 ) * [New Rule] New BBR Rules - Part 1 * Apply suggestions from code review Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update rules_building_block/lateral_movement_at.toml * Update rules_building_block/collection_outlook_email_archive.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-09-05 18:07:47 -03:00
Jonhnathan	26c97dc241	[New Rule] Potential Masquerading as Business App Installer (#3068 )	2023-09-05 17:58:34 -03:00
Jonhnathan	4233fef238	[Security Content] Include "Data Source: Elastic Defend" tag (#3002 ) * win folder * Other folders * Update test_all_rules.py * . * updated missing elastic defend tags --------- Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>	2023-09-05 14:22:01 -04:00
Jonhnathan	fdd45148b8	[New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015 ) * [New Rule] WRITEDAC Access on Active Directory Object * Update defense_evasion_write_dac_access.toml * Fix Setup Instructions * Update defense_evasion_write_dac_access.toml * Update rules_building_block/defense_evasion_write_dac_access.toml Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com> --------- Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>	2023-08-31 12:59:02 -03:00
Ruben Groenewoud	f7d8d4752a	[New Rules] GDB Secret Dumping (#3060 ) * [New Rules] GDB Secret Dumping * Added references to BBR * Update rules/linux/credential_access_gdb_init_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml * Update rules_building_block/credential_access_gdb_memory_dump.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> --------- Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>	2023-08-31 17:41:22 +02:00
Ruben Groenewoud	04d1c3cd5b	[New BBR] Suspicious which Enumeration (#3059 )	2023-08-31 13:55:56 +02:00
Jonhnathan	c89b722a34	[New Rule] Suspicious Communication App Child Process (#2998 ) * [New Rule] Suspicious Communication App Child Process * Update defense_evasion_communication_apps_suspicious_child_process.toml * Update rules_building_block/defense_evasion_communication_apps_suspicious_child_process.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-31 07:33:16 -03:00
Jonhnathan	a7a22a0917	[New Rule] Potential Masquerading as VLC DLL (#3006 ) Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-30 17:45:45 -03:00
Ruben Groenewoud	32abdb95f7	[New Rules] Linux Tunneling and Port Forwarding (#3028 ) * Removed iodine rule due to new tunneling rule * [New Rules] Linux Tunneling and Port Forwarding * added ash * Fixed description styling * Changed rule name * Update command_and_control_linux_suspicious_proxychains_activity.toml * Added deprecation note & name change * Changed deprecation status * Removed deprecation date * Fixed unit testing * Update rules_building_block/command_and_control_linux_ssh_x11_forwarding.toml --------- Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>	2023-08-30 22:12:19 +02:00
Jonhnathan	7004c99ef5	[New Rule] Unusual Process For MSSQL Service Accounts (#3040 ) * [New Rule] Unusual Process For MSSQL Service Accounts * Update initial_access_unusual_process_sql_accounts.toml * Update initial_access_unusual_process_sql_accounts.toml * Update collection_archive_data_zip_imageload.toml * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml * Update initial_access_unusual_process_sql_accounts.toml * Update rules_building_block/initial_access_unusual_process_sql_accounts.toml Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml added "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope. * Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>	2023-08-29 09:10:25 -03:00

1 2

74 Commits