security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
806 Commits 1 Branch 0 Tags
2c39bb962fdb6ceaabc20ceaeff2b86259b82d13
Commit Graph

597 Commits

Author SHA1 Message Date
Austin Songer 2c39bb962f [New Rule] AWS EFS File System or Mount Deleted (#1462) 
* AWS EFS File System or Mount Deleted

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:23:07 -03:00
Austin Songer 702524b1f7 [New Rule] AWS Suspicious SAML Activity (#1498) 
* Create privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Add trailing /

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:11:15 -03:00
Austin Songer 50501bb40f [New Rule] Azure Full Network Packet Capture Detected (#1420) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:06:27 -03:00
Austin Songer 790586fb57 [New Rule] Azure Virtual Network Device Modified or Deleted (#1421) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml

* fix description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:11:05 -03:00
Austin Songer 761df5fe84 [New Rule] Azure Kubernetes Pods Deleted (#1309) 
* Create impact_kubernetes_pod_deleted.toml

* Update impact_kubernetes_pod_deleted.toml

* Update

* Update impact_kubernetes_pod_deleted.toml

* quote value in query

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:07:39 -03:00
Austin Songer dc980effb0 [New Rule] AWS RDS Snapshot Restored (#1312) 
* Create exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

* Delete exfiltration_rds_snapshot_restored.toml

* Create exfiltration_rds_snapshot_restored.toml

* Update

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_rds_snapshot_restored.toml

* Update exfiltration_rds_snapshot_restored.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:05:00 -03:00
Austin Songer 3303a4e255 [New Rule] Microsoft 365 - Mass download by a single user (#1348) 
* Create impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update impact_microsoft_365_mass_download_by_a_single_user.toml

* Update rules/integrations/o365/impact_microsoft_365_mass_download_by_a_single_user.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:01:50 -03:00
Austin Songer 90504915ad [New Rule] AWS Route53 hosted zone associated with a VPC (#1365) 
* Create persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

* Update persistence_route_53_hosted_zone_associated_with_a_vpc.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 15:59:33 -03:00
Austin Songer d7eab5bbf3 [New Rule] AWS STS AssumeRole Usage (#1214) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_assumerole_abuse.toml

* Rename lateral_movement_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update privilege_escalation_sts_assumerole_abuse.toml

* Update and rename privilege_escalation_sts_assumerole_abuse.toml to privilege_escalation_sts_assumerole_usage.toml

* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add note field

* Update privilege_escalation_sts_assumerole_usage.toml

* Update rules/integrations/aws/privilege_escalation_sts_assumerole_usage.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Adding Reference

* Expand STS

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 15:56:10 -03:00
Austin Songer 27ba204f1c [New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-15 15:42:25 -03:00
Austin Songer 7123d46623 [New Rule] Azure Blob Permissions Modification (#1499) 
* Create defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update description and query (spacing)

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-14 06:59:24 -03:00
Austin Songer 3d15c2072d [New Rule] Azure Kubernetes Events Deleted (#1307) 
* Create defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add quotes to azure query field

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-14 06:57:33 -03:00
Jonhnathan b7dcbbae72 [New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548) 
* PowerShell Suspicious Discovery Related Windows API Functions Initial Rule

* Update severity

* Lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-14 06:54:45 -03:00
Jonhnathan cc241c0b5e [Rule Tuning] Update network.direction (#1547) 
* Update network.direction

* bump updated_date
 2021-10-13 21:46:36 -03:00
Austin Songer 11fa592c6f [New Rule] Microsoft 365 - Impossible travel activity (#1344) 
* Create initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Updated Directory

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-12 19:11:32 -03:00
Austin Songer c8ac37957d [New Rule] Microsoft 365 - User Restricted from Sending Email (#1345) 
* Create initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Fix technique

* update description and FP

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:32:54 -03:00
Austin Songer fa9da023dd [New Rule] Microsoft 365 - Unusual Volume of File Deletion (#1347) 
* Create impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update rules/microsoft-365/impact_microsoft_365_unusual_volume_of_file_deletion.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Add missing `\`

* Bump to prod and update description

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:30:49 -03:00
Austin Songer 98c217ece9 [New Rule] Microsoft 365 - Potential ransomware activity (#1346) 
* Create impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* bump to prod

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 18:26:17 -03:00
Austin Songer 82e72a956b [New Rule] AWS Route Table Modified or Deleted (#1258) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-12 15:16:48 -03:00
David French cdbd5a6515 [New Rule] Rules to detect screensaver persistence on macOS (#1531) 
* add macos screensaver persistence rules

* change uuid

* update name

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* add T1546

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-07 08:22:58 -06:00
LaZyDK 43f0d77033 Update defense_evasion_execution_windefend_unusual_path.toml (#1492) 
* Update defense_evasion_execution_windefend_unusual_path.toml

Add Microsoft Security Client to exclusions.

* Update defense_evasion_execution_windefend_unusual_path.toml

Update updated_date

* Updated author

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-05 16:38:01 -03:00
Austin Songer 9508002bb3 [New Rule] AWS ElastiCache Security Group Created (#1363) 
* Create persistence_elasticache_security_group_creation.toml

* Update

* Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml

* Update defense_evasion_elasticache_security_group_creation.toml

* Update defense_evasion_elasticache_security_group_creation.toml

* Re-add rule.threat

* Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* remove extra space from query

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-05 14:00:29 -03:00
Austin Songer 3b0d2006b7 Made these pull requests before the directory restructure. (#1517) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-05 09:29:40 -03:00
Austin Songer 0a3c44e8db [Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514) 2021-10-04 13:31:31 -08:00
Andrew Pease d5a8f41864 [Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524) 
* Updated rule to include resizing

* lint

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-04 16:00:35 -03:00
Jonhnathan f2b58cc0ab [New Rule] Backup Files Deletion (#1516) 
* Add Backup Files Deletion Initial Rule

* Fix creation date

* Add updated_date

* Adjust description and query

* Update Description

* Update rules/windows/impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add false_positives

* Update impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-04 15:55:52 -03:00
Austin Songer f41714642c [New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364) 
* Create impact_aws_elasticache_security_group_modified_or_deleted.toml

* Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Update

* Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-04 15:38:37 -03:00
Austin Songer 6298f7b00a [New Rule] Volume Shadow Copy Deletion via PowerShell (#1358) 
* Create defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Rename defense_evasion_volume_shadow_copy_deletion_via_powershell.toml to impact_volume_shadow_copy_deletion_via_powershell.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Add trailing /

* Update rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-04 14:58:02 -03:00
Jonhnathan ba9c01be50 Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511) 2021-09-30 13:08:35 -08:00
Jonhnathan 5e4a7e67df [Rule Tuning] Small update on rule descriptions (#1508) 2021-09-30 12:54:15 -08:00
Samirbous 76a0224f60 [New Rule] Virtual Machine Fingerprinting via Grep (#1510) 
* [New Rule] Virtual Machine Fingerprinting via Grep

* format

* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added reference url

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-30 20:40:05 +02:00
Samirbous 521e4dc8f1 [New Rule] Potential Lsass Memory Dump via MirrorDump (#1504) 
* [New Rule] Potential Lsass Memory Dump via MirrorDump

* added tactic

* switched to kql

* added sysmon process access non ecs types

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* rule.name as suggested by Justin and converted to EQL to add comments

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-30 10:16:36 +02:00
Austin Songer d28c48f20f [New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393) 2021-09-29 09:08:09 -08:00
Austin Songer a51ed86851 [New Rule] New or Modified Federation Domain (#1212) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_new-or-modified-federation-domain.toml

* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update

* Update persistence_new_or_modified_federation_domain.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-29 09:16:17 -03:00
Austin Songer 5ac7fb639c [New Rule] O365 Exchange Suspicious Mailbox Right Delegation (#1211) 2021-09-27 13:18:33 -08:00
Justin Ibarra 63d6a54804 [Rule Tuning] Add system index to Windows Event Logs Cleared (#1502) 2021-09-24 12:04:56 -05:00
Jonhnathan 61afb1c1c0 [Rule Tuning] Update threat mappings for Windows rules (#1497) 
* Windows Rules Att&ck Mapping review

* Bump updated_date and fix reference URLs

* Fix subtechnique

* Fix test errors
 2021-09-23 12:08:38 -05:00
Austin Songer 93b8038d7d [New Rule] AWS STS GetSessionToken Abuse (#1213) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_getsessiontoken_abuse.toml

* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update

* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-09-22 16:28:02 -03:00
Austin Songer 3e2cf4f53e [New Rule] Okta User Attempted Unauthorized Access (#1209) 2021-09-21 22:44:20 -08:00
Justin Ibarra 8e3b1d28c4 [Rule Tuning] Fix typos in rule metadata (#1494) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-09-21 16:31:00 -03:00
Jonhnathan f6421d8c53 Additional Att&ck Mappings for credential access Rules (#1495) 
Updates MITRE Technique IDs for Credential Access DRs
 2021-09-21 11:04:16 -05:00
Khristinin Nikita 10a977914b Add default timestamp condition for threat_query (#1486) 2021-09-20 11:19:52 -08:00
dstepanic17 9ff3873ee7 [rule-tuning] Adding more context with triage/investigation (#1481) 
* [rule-tuning] Adding more context with triage/investigation

* Adding mimikatz rule

* Fixed updated date on mimikatz rule

* Adding Defender update

* Adding scheduled task

* Adding AdFind

* Adding rare process

* Adding cloudtrail country

* Adding cloudtrail spike

* Adding threat intel

* Fixed minor spelling/syntax

* Fixed minor spelling/syntax p2

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/ml/ml_rare_process_by_host_windows.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Removed MITRE link, added Microsoft

* Update ml_cloudtrail_error_message_spike.toml

* Update ml_cloudtrail_rare_method_by_country.toml

* Update ml_rare_process_by_host_windows.toml

* Update credential_access_mimikatz_powershell_module.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update discovery_adfind_command_activity.toml

* Update lateral_movement_dns_server_overflow.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-09-15 20:07:21 -05:00
Justin Ibarra 51a2bc815b [Rule tuning] Fix typo in ML rule descriptions (#1484) 2021-09-14 11:37:01 -05:00
Samirbous 0875c1e4c4 [New Rule] Behavior Rule for CVE-2021-40444 Exploitation (#1479) 
* [New Rule] Behavior Rule for CVE-2021-40444 Exploitation

* added a ref

* replaced \ with /

* removed unecessary wildcard
 2021-09-08 21:26:14 +02:00
dstepanic17 cb27c686e0 Adding control.exe (#1477) 2021-09-08 13:30:46 -05:00
Ross Wolf c9d6527280 Revert #1440 new endpoint promotion rule (#1470) 
* Revert #1440 new endpoint promotion rule
* Set the updated_at date
 2021-09-03 08:07:20 -06:00
Justin Ibarra 655f7d91d0 [Rule tuning] Fix spacing in reference URLs (#1455) 2021-08-31 15:59:06 -08:00
Nic 8b2c8c2e03 [Rule tuning] Azure Active Directory High Risk Sign-in (#1463) 
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types
 2021-08-30 14:33:44 -08:00
Ross Wolf 675e870a30 Set min stack to 7.15 for Behavior Protection promotion 2021-08-26 08:53:02 -06:00