security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
852 Commits 1 Branch 0 Tags
2ecbc87fed3437458608505575c218fbb58cd7e8
Commit Graph

852 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Apoorva Joshi 2ecbc87fed Adding Beaconing docs (#1621) 
* Adding beaconing docs

* Adding a call out about import options

* Adding a note about the AD job

* Adding more clarity on the release bundle

* Update beaconing.md

* Update docs/experimental-machine-learning/beaconing.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 237dcd2e19)
 2021-12-01 16:46:48 +00:00
Samirbous d1fe62d903 [New Rule] Suspicious Process Creation CallTrace (#1588) 
* [New Rule] Suspicious Process Creation CallTrace

* Update non-ecs-schema.json

* added min stack vers

* min_stack_vers not needed

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit d43e3d8e4e)
 2021-11-30 20:37:41 +00:00
Apoorva Joshi d1e73cb0c3 Updating host risk score and experimental detections docs (#1639) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit d061bf8e7c)
 2021-11-30 19:26:54 +00:00
Khristinin Nikita d098c58d27 [Rule Tuning] Support ECS 1.11 field for IM rule (#1560) 
* Support ecs field for IM rule

* update time interval

* Change additional lookback to 5 minutes

* Add old rule

* Add newline

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Remove im legacy rule

* Udpdate name and description

* Remove min_stack_comment

* Keep 2 IM rule

* add min_stack_comments to rule

* Update rules/cross-platform/threat_intel_indicator_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adds new rules

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ece Özalp <ozale272@newschool.edu>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>

(cherry picked from commit c619844b0d)
 2021-11-30 18:27:52 +00:00
Austin Songer 423145dae7 [New Rule] Azure Kubernetes Rolebindings Created (#1576) 
* Create azure_kubernetes_rolebinding_created_or_deleted.toml

* Update

* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 521f0987ae)
 2021-11-29 12:18:02 +00:00
Austin Songer c49501c4cc [New Rule] Clearing Windows Console History (#1623) 
* Create defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* bump severity

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 13fc69b70a)
 2021-11-25 16:27:24 +00:00
Austin Songer 5572d8669e [New Rule] Windows Firewall Disabled (#1565) 
* Create defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 2ac19440c2)
 2021-11-24 21:36:02 +00:00
LaZyDK 7f59fbb235 [Rule Tuning] Component Object Model Hijacking (#1491) 
* Update persistence_suspicious_com_hijack_registry.toml

Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.

* Update updated_date

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit dd3e924e4a)
 2021-11-24 11:59:49 +00:00
Samirbous 3e5ed57546 [New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569) 
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL

* update dates

* adding config note

* relinted

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update minstack version

* minstack not needed, rule should work on previous versions

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit d1636258e4)
 2021-11-18 09:30:02 +00:00
Samirbous 97bb3d5bc4 [New Rule] Account Password Reset Remotely (#1571) 
* [New Rule] Account Password Reset Remotely

* Update non-ecs-schema.json

* udpate ruleId

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 53a17e6b06)
 2021-11-18 09:28:05 +00:00
Austin Songer ffcca8239e [New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579) 
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3dd32608a0)
 2021-11-17 22:40:16 +00:00
Jonhnathan 3f3328a630 [New Rule] PowerShell Keylogging Script (#1561) 
* Create collection_posh_keylogger.toml

* Apply suggestions from Samir

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix missing OR

* Change dup guid

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 4b6794df32)
 2021-11-17 22:39:05 +00:00
Austin Songer c6068391a1 [Rule Tuning] Suspicious CertUtil Commands (#1564) 
(cherry picked from commit ab521f7c4f)
 2021-11-17 20:43:07 +00:00
Jonhnathan 0e20e08eef [New Rule] Potential Process Injection via PowerShell (#1552) 
* Create defense_evasion_posh_process_injection.toml

* Update defense_evasion_posh_process_injection.toml

* Update description

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9c54e21820)
 2021-11-17 10:35:29 +00:00
Samirbous 33f13e25be [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) 
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

* lint

* Update etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* moved FP txt to Note.

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update etc/non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* fix json

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit e99478db00)
 2021-11-17 07:47:39 +00:00
Samirbous 2e067562f1 [New Rule] Potential Credential Access via LSASS Memory Dump (#1533) 
* [New Rule] Potential Credential Access via LSASS Memory Dump

* Update credential_access_suspicious_lsass_access_memdump.toml

* fix typo in calltrace and event.code type

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_suspicious_lsass_access_memdump.toml

* added TargetImage to non ecs schema

* Update non-ecs-schema.json

* format

* Update credential_access_suspicious_lsass_access_memdump.toml

* Update credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit c18c08a976)
 2021-11-17 07:38:39 +00:00
github-actions[bot] a06dc65acd Lock versions for releases: 7.13,7.14,7.15,7.16 (#1619) 
* Locked versions for releases: 7.13,7.14,7.15,7.16

(cherry picked from commit f0f3b83eab)
 2021-11-16 09:33:36 +00:00
Justin Ibarra a50bd1ae15 [bug] Current stack version in deprecation lock missing parens (#1618) 
The function was not being properly called, leading to `null` values

(cherry picked from commit bd9e33e761)
 2021-11-16 09:20:32 +00:00
Justin Ibarra e9736b21c9 Fix kibana-pr command (#1616) 
(cherry picked from commit 76503e8bcd)
 2021-11-16 08:56:57 +00:00
Justin Ibarra f306ff195a Update registry release from beta to ga 2021-11-15 21:48:07 -09:00
Jonhnathan 271d460d7f [New Rule] PowerShell Suspicious Script with Audio Capture Capabilities (#1582) 
(cherry picked from commit 858d1cf12c)
 2021-11-16 06:21:37 +00:00
Justin Ibarra 4a0f780d0b Bump min_stack_version in version.lock for specific rules (#1614) 
(cherry picked from commit d78f6354df)
 2021-11-15 23:40:19 +00:00
Justin Ibarra 1e2ede92a1 Test to trigger workflows (#1612) 
(cherry picked from commit 59ba8e1540)
 2021-11-15 19:04:37 +00:00
Justin Ibarra d0ec0f0297 Prepare for creation of 7.16 release branch (#1611) 
Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit 95d7e9b6f5)
 2021-11-15 18:41:47 +00:00
Justin Ibarra 0efae3a52e Move version lock code to object for portability (#1553) 
* Move version lock code to object for portability
* use cached_property to bypass frozen dataclass and set property
* replace load_versions function
 2021-11-15 08:46:12 -09:00
Samirbous 81a62f5f68 [New Rule] Suspicious Process Access via Direct System Call (#1536) 
* [New Rule] Suspicious Process Access via Direct System Call

* updated query to catch also CallTrace with non ntdll modules

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-11-15 10:18:26 +01:00
Justin Ibarra 5e6a58ebab Add index as a required field to rule_prompt (#1595) 2021-11-14 17:05:42 -09:00
Jonhnathan 017d9a51b7 [Rule Tuning] Rename extrac.exe to extrac32.exe (#1601) 2021-11-14 17:01:13 -09:00
Adrian Serrano aa219710a1 Fix Windows path causing emoji to be rendered in Kibana (#1585) 
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.

Surrounding the path in backticks fixes it.
 2021-11-03 11:01:25 -05:00
Ece Özalp e29a1ca25c Create host-risk-score.md (#1599) 
update the script name to match shipped artifact
 2021-11-03 11:05:59 +03:00
Khristinin Nikita f47b0f61cc Change interval and lookback time for IM rule (#1596) 2021-11-01 09:27:38 +01:00
Justin Ibarra ff16832003 [Rule Tuning] Hosts File Modified - add process check for linux (#1593) 
* [Rule Tuning] Hosts File Modified - add process check for linux

* add echo and sed to process names in query
 2021-10-28 22:56:34 -05:00
Ross Wolf d03e7972a6 Update the marshmallow dependencies in requirements.txt (#1475) 
* Update the marshmallow dependencies in requirements.txt

* Fix typo

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-28 22:50:49 -05:00
Justin Ibarra c8cf88cd62 Refresh ECS (1.12.1) and beats (7.15.1) schemas (#1584) 
* Refresh ECS (1.12.1) and beats (7.15.1) schemas

* update ecs to 1.10 for 7.14 stack validation

* add note with reference url
 2021-10-28 11:24:28 -05:00
Justin Ibarra d12c04761f Add support for eql-wildcard and kql-match_only_text (#1583) 
* Add support for eql-wildcard and kql-match_only_text
* bump kql version
* lookup elasticsearch type family prior to getting type hint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-10-28 08:57:43 -05:00
Apoorva Joshi 0b57778be6 Updating docs to highlight explainability (#1542) 
* Updating docs to highlight explainability

* Update typosquatting_rule.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 13:34:19 -07:00
Justin Ibarra ab17dfcc28 [Bug] Tighten definitions validation patterns (#1396) 
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-10-26 10:26:20 -05:00
Austin Songer ef7548f04c [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) 
* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_webshell_detection.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_system_shells_via_services.toml

* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_system_shells_via_services.toml

* Update persistence_webshell_detection.toml

* Update rules/windows/persistence_local_scheduled_task_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 12:16:31 -03:00
Jonhnathan 239384497f [New Rule] PowerShell MiniDump Script (#1528) 
* PowerShell MiniDump Script Initial Rule

* Update credential_access_posh_minidump.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_posh_minidump.toml

* Update rules/windows/credential_access_posh_minidump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 12:09:16 -03:00
Jonhnathan 4524c175c8 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2021-10-26 12:05:12 -03:00
Austin Songer 89553d84a9 [New Rule] AWS Route Table Created (#1257) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_created.toml

* Update persistence_route_table_created.toml

* Update rules/persistence_route_table_created.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update persistence_route_table_created.toml

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_created.toml

* Update

* Update

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 10:25:53 -03:00
Justin Ibarra 5a69ceb0c5 Add test for improper rule demotion (released production -> development) (#1555) 2021-10-19 21:47:36 -08:00
Justin Ibarra 5bdf70e72c Add min_stack_comments to metadata schema (#1573) 
* Add min_stack_comments to metadata schema
 2021-10-19 20:52:53 -08:00
Jonhnathan f50fb1d61b [New Rule] Suspicious Portable Executable Encoded in Powershell Script (#1562) 
* Create execution_posh_portable_executable.toml

* Add wildcard

* Remove the wildcard

* Update rules/windows/execution_posh_portable_executable.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-18 17:50:16 -03:00
Austin Songer 3ab67d1562 [New Rule] AWS EventBridge Rule Disabled or Deleted (#1572) 
* Create aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/aws/aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update aws_eventbridge_rule_disabled_or_deleted.toml

* Rename aws_eventbridge_rule_disabled_or_deleted.toml to impact_aws_eventbridge_rule_disabled_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-18 15:36:21 -03:00
Austin Songer cf2b3ee753 [New Rule] DNS-over-HTTPS Enabled by Registry (#1379) 
* Create defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update defense_evasion_dns_over_https_enabled.toml

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_dns_over_https_enabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2021-10-15 23:25:12 -03:00
Austin Songer 2c39bb962f [New Rule] AWS EFS File System or Mount Deleted (#1462) 
* AWS EFS File System or Mount Deleted

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update rules/integrations/aws/impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

* Update impact_efs_filesystem_or_mount_deleted.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:23:07 -03:00
Austin Songer 702524b1f7 [New Rule] AWS Suspicious SAML Activity (#1498) 
* Create privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Update privilege_escalation_aws_suspicious_saml_activity.toml

* Add trailing /

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:11:15 -03:00
Austin Songer 50501bb40f [New Rule] Azure Full Network Packet Capture Detected (#1420) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/exfiltration_azure_full_network_packet_capture_detected.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Update exfiltration_azure_full_network_packet_capture_detected.toml

* Rename exfiltration_azure_full_network_packet_capture_detected.toml to credential_access_azure_full_network_packet_capture_detected.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 23:06:27 -03:00
Austin Songer 790586fb57 [New Rule] Azure Virtual Network Device Modified or Deleted (#1421) 
* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Delete defense_evasion_virtual_network_device_modified.toml

* Create defense_evasion_virtual_network_device_modified.toml

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_virtual_network_device_modified.toml

* Update rules/integrations/azure/defense_evasion_virtual_network_device_modified.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_virtual_network_device_modified.toml to impact_virtual_network_device_modified.toml

* fix description

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-15 16:11:05 -03:00