sigma-rules

Author	SHA1	Message	Date
Samirbous	30cded7a2d	[New Rule] Lateral Movement via Startup Folder (#663 ) * [New Rule] Lateral Movement via Startup Folder * Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-02 21:22:43 +01:00
Samirbous	3deff0eeb8	[New Rule] Remote Execution via File Shares (#455 ) * [New Rule] Remote Execution via File Shares * removed timeline_id * fixed tags * added extension to reduce response time * Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * ecs_version * Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-02 21:20:13 +01:00
Samirbous	e03f775789	[New Rule] Lateral Executable Transfer Over SMB (#517 ) * [New Rule] Lateral Executable Transfer Over SMB * adjusted maxspan, address and extensions * changed rule name * Update rules/windows/lateral_movement_executable_tool_transfer_smb.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * eql syntax * ecs_version Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-12-02 21:03:31 +01:00
Samirbous	e6645a8be9	[Rule Tuning] Clearing or Disabling Windows Event Logs (#393 ) * [Rule Tuning] Clearing or Disabling Windows Event Logs * added tags * Update defense_evasion_clearing_windows_event_logs.toml * Update rules/windows/defense_evasion_clearing_windows_event_logs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * updated the rule update date * linted * fixing unit test error * Update rules/windows/defense_evasion_clearing_windows_event_logs.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>	2020-12-02 20:35:35 +01:00
Samirbous	db2d17ccb2	[New Rule] Credential Acquisition via Registry Hive Dumping (#607 ) * [New Rule] Credential Acquisition via Registry Hive Dumping * Update rules/windows/credential_access_dump_registry_hives.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/credential_access_dump_registry_hives.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/credential_access_dump_registry_hives.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/credential_access_dump_registry_hives.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * fixed MITRE technique details * fixed TID * Update rules/windows/credential_access_dump_registry_hives.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update credential_access_dump_registry_hives.toml * as per Justin suggestion case insensitivity is not issue 7.11 * Update credential_access_dump_registry_hives.toml * new MITRE mapping errors * Update rules/windows/credential_access_dump_registry_hives.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update credential_access_dump_registry_hives.toml * added : * changed process.args:(a, b) to process.args: a or process.args:b while testing on 7.10 process.args : (a , b) generate an error * adjusted query as per JLB and RW suggestion * eql syntax * Update rules/windows/credential_access_dump_registry_hives.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-02 20:31:22 +01:00
Justin Ibarra	97ee8cc9ac	Refresh beats and ecs schemas and default to use latest to validate (#570 ) * Refresh beats and ecs schemas and default to use latest to validate * remove incorrect ecs_version from zoom rule * remove stale ecs_version from rules	2020-12-01 13:24:20 -09:00
Samirbous	dc9c63d043	[New Rule] Unusual Svchost ChildProc - ChildLess Services (#370 ) * [New Rule] Unusual Svchost ChildProc - ChildLess Services * changed tags * changed rule filename * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-01 20:30:03 +01:00
Samirbous	0fe12d2528	[New Rule] Suspicious Explorer Child Process (#430 ) * [New Rule] Suspicious Explorer Child Process * Update execution_via_explorer_suspicious_child_parent_args.toml * removed timeline_id * fixed typo * adjusted args for better performance * Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-01 00:00:40 +01:00
Ross Wolf	710f4bda10	Add file.extension to SxS .local rule	2020-11-30 15:26:28 -07:00
Samirbous	2465a70dac	[New Rule] Execution via local SxS Shared Module (#424 ) * [New Rule] Execution via local SxS Shared Module * Update execution_shared_modules_local_sxs_dll.toml * Update execution_shared_modules_local_sxs_dll.toml * added tags * added drive letter for less performance impact * Update rules/windows/execution_shared_modules_local_sxs_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_shared_modules_local_sxs_dll.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_shared_modules_local_sxs_dll.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-11-30 23:24:44 +01:00
Samirbous	7138b01001	[New Rule] Potential Command and Control via IEXPLORE (#645 ) * [New Rule] Potential Command and Control via IEXPLORE * Update command_and_control_iexplore_via_com.toml * Update command_and_control_iexplore_via_com.toml * Update rules/windows/command_and_control_iexplore_via_com.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/windows/command_and_control_iexplore_via_com.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_iexplore_via_com.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_iexplore_via_com.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-30 21:13:30 +01:00
Samirbous	14ef24e9dd	[New Rule] Command shell activity started via rundll32 (#391 ) * [New Rule] Command shell activity started via rundll32 * added tag * adjusted parent args for performance avoid leading wildcard * filtered a common FP * Update execution_command_shell_via_rundll32.toml * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-11-30 21:02:57 +01:00
Samirbous	52183d78a2	[New Rule] Persistence via Microsoft Outlook VBA (#611 ) * [New Rule] Persistence via Microsoft Outlook VBA * added FPs note and deleted excluded outlook.exe * Update rules/windows/persistence_ms_outlook_vba_template.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-30 20:57:36 +01:00
Samirbous	ba0cc7a055	[New Rule] UAC Bypass via Elevated COM Interface - IEditionUpgradeManager (#422 ) * [New Rule] UAC Bypass via Elevated COM Interface - ClipUp * linted * Update privilege_escalation_uac_bypass_com_clipup.toml * added tags * changed rule name * adjusted rule for more performance * Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-30 20:26:07 +01:00
Justin Ibarra	d0ba03230a	[Rule Tuning] Unusual File Modification by dns.exe (#472 )	2020-11-30 08:22:27 -09:00
dstepanic17	625b0ec771	[New-Rule] Suspicious WMI Image Load from MS Office (#551 ) * image-load-wmi-ms-office * Update rules/windows/execution_suspicious_image_load_wmi_ms_office.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Resolved linting after suggestion Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-20 08:34:02 -06:00
dstepanic17	517ee0dc03	image-load-sched-task-ms-office (#566 )	2020-11-20 07:28:16 -06:00
Samirbous	1ebdcc8248	[New Rule] Suspicious RDP ActiveX Client Loaded (#588 ) * [New Rule] Suspicious RDP ActiveX Client Loaded * added exec from mounted device and UNC * removed unecessary exclusion * Update rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>	2020-11-20 10:43:12 +01:00
Samirbous	9d2a74ea1b	[New Rule] Connection to Commonly Abused Web Services (#476 ) * [New Rule] Connection to Commonly Abused Web Services * Update command_and_control_common_webservices.toml * Update rules/windows/command_and_control_common_webservices.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * added notabug.org as suggested by Daniel Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2020-11-18 23:38:09 +01:00
Samirbous	161ea402fe	[New Rule] Kerberos Traffic from Unusual Process (#448 ) * [New Rule] Kerberos Traffic from Unusual Process * removed timeline_id * adjusted args for better perf * added potential rare FPs * Update rules/windows/credential_access_kerberoasting_unusual_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_kerberoasting_unusual_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_kerberoasting_unusual_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_kerberoasting_unusual_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-18 22:07:49 +01:00
Samirbous	3e7be55a24	[New Rule] UAC Bypass via Windows Firewall Snap-in Hijack (#376 ) * [New Rule] Bypass UAC via Windows Firewall Snap-in Hijack * Delete workspace.xml * Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml * Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml * Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-18 20:36:59 +01:00
Samirbous	75ed0f8f92	[New Rule] UAC Bypass via ICMLuaUtil Elevated COM interface (#383 ) * [New Rule] Bypass UAC via ICMLuaUtil Elevated COM interface * added tags * Update privilege_escalation_uac_bypass_com_interface_icmluautil.toml * adjusted args to avoid leading wildcard * Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * replaced wildcard with In Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-11-18 20:34:10 +01:00
Samirbous	14270a5614	[New Rule] Persistence via MS Office Addins (#381 ) * [New Rule] Persistence via MS Office Addins * Update persistence_ms_office_addins_file.toml * Update persistence_ms_office_addins_file.toml * Update persistence_ms_office_addins_file.toml * Update persistence_ms_office_addins_file.toml * fixed extension and relaxed file.path * updated references * changed leading wildcard for perf * Update rules/windows/persistence_ms_office_addins_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_ms_office_addins_file.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-18 20:27:01 +01:00
Samirbous	4547ee3750	[New Rule] Suspicious Execution - Short Program Name (#536 ) * [New Rule] Suspicious Execution - Short Program Name * Update rules/windows/execution_suspicious_short_program_name.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 21:27:37 +01:00
Samirbous	4741f70fad	[New Rule] Potential Remote Desktop Tunneling Detected (#374 ) * [New Rule] Remote Desktop Tunneling using SSH Plink Utility * Update lateral_movement_rdp_tunnel_plink.toml * Update lateral_movement_rdp_tunnel_plink.toml * changed tags * expanded condition to more than plink there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R. * Update lateral_movement_rdp_tunnel_plink.toml * more args options Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 21:25:48 +01:00
Samirbous	14e36c2693	[New Rule] Security Software Discovery using WMIC (#387 ) * [New Rule] Security Software Discovery using WMIC * added tags * adjusted args for performance avoiding leading wildcard in process args * Update discovery_security_software_wmic.toml * Update discovery_security_software_wmic.toml * Update discovery_security_software_wmic.toml * Update rules/windows/discovery_security_software_wmic.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/discovery_security_software_wmic.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 21:23:28 +01:00
Samirbous	ba4b8bc3e3	[New Rule] UAC Bypass via Elevated COM IEinstall (#450 ) * [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer * Linted * Update privilege_escalation_uac_bypass_com_ieinstal.toml * adjusted executable path for better performance * Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-11-17 21:21:15 +01:00
Samirbous	3af915ff49	[New Rule] Suspicious Cmd Execution via WMI (#389 ) * [New Rule] Suspicious Cmd Execution via WMI * Update lateral_movement_suspicious_cmd_wmi.toml * Update lateral_movement_suspicious_cmd_wmi.toml * expanded process args for more coverage * Update rules/windows/lateral_movement_suspicious_cmd_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-11-17 21:19:30 +01:00
Justin Ibarra	f87f2a46f4	[Rule Tuning] Remove all rule timelines (#466 )	2020-11-03 09:51:53 -09:00
Justin Ibarra	da64bacac1	[Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452 )	2020-11-02 14:12:20 -09:00
Brent Murphy	9838d3d2f7	[Rule Tuning] Remove duplicate rules after EQL conversion (#436 ) * [Rule Tuning] Remove duplicate rules after EQL conversion * Update defense_evasion_rundll32_sequence.toml * swap msxsl rules	2020-10-30 15:49:28 -04:00
Justin Ibarra	a575cf9ff3	[Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431 )	2020-10-29 11:06:24 -08:00
Justin Ibarra	0d3c35886c	Remove connection type from endpoint network rules (#426 )	2020-10-28 12:35:34 -08:00
Derek Ditch	580db2c13e	Add timeline_id to detection rules (#95 ) * Adds timeline_id to all network rules - Uses the ID for the 'Generic Network Timeline' from Elastic * Adds timeline_id to all endpoint rules - Uses the ID for the 'Generic Endpoint Timeline' from Elastic * Adds timeline_id to all process-oriented rules - Uses the ID for the 'Generic Process Timeline' from Elastic * Ran tests and toml-lint * Bumped 'updated_date'	2020-10-27 13:34:16 -05:00
seth-goodwin	2065af89b1	[Rule Tuning] Tag Categorization Updates (#380 ) * Add new categorization tags * Change updated_date to 2020/10/26 Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100	2020-10-26 13:50:45 -05:00
Brent Murphy	2e422f7159	[Rule Tuning] Minor Rule Tweaks for 7.10 (#400 ) * Tweak Rules for 7.10 * Add endpoint index for packetbeat rules * update unit test to account for Network tag as well * update modified date, add endpoint tag * use Host instead of Endpoint * Update packaging.py * add v back to changelog url * Add "tag" comment to get_markdown_rule_info Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-10-22 09:07:04 -04:00
Justin Ibarra	0a992d716a	[Rule Tuning] Update EQL rules for 7.10 (#399 ) * update syntax to reflect eql changes * use more case-insensitivity * comment out missing fields for winlogbeat compatibility	2020-10-21 12:35:18 -08:00
Justin Ibarra	fd2d36573d	Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364 )	2020-10-20 15:22:02 -08:00
Justin Ibarra	d3226c72c9	Add test for tactic in rule filename (#398 )	2020-10-20 14:48:33 -08:00
Kevin Logan	f34c96f4dc	[Rule Tuning][SECURITY_SOLUTION] rename Endpoint security (#355 )	2020-10-05 09:55:15 -08:00
Justin Ibarra	bf202b6b6c	[New Rule] Initial converted EQL rules (#304 ) * 18 converted eql rules (not all prod)	2020-09-30 21:40:55 -08:00
Justin Ibarra	2460333595	[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351 )	2020-09-30 16:16:04 -08:00
Samirbous	d094c76534	[New Rule] Suspicious Zoom ChildProcess (#245 )	2020-09-30 15:46:33 -08:00
Brent Murphy	83fb9bdf93	[Rule Tuning] Update event.code to category (#349 )	2020-09-30 14:34:58 -08:00
Samirbous	f15d179a50	[New Rule]- Credential Access - Domain DPAPI Backup key (#125 ) * new rule - credential access Domain Backup DPAPI Private Keys Access * Update credential_access_domain_backup_dpapi_private_keys.toml * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Linted * added an extra reference * Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-29 21:14:07 +02:00
Samirbous	c6519a2474	[New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity (#146 ) * [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity Same rule will detect exploitation behavior of CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300 * Update privilege_escalation_printspooler_service_suspicious_file.toml * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Added references and changed file name to extension as it was closed as bug issue by endpoint dev team * Update privilege_escalation_printspooler_service_suspicious_file.toml * Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 21:11:43 +02:00
Samirbous	cccd91bc1a	[New Rule] - Persistence via Update Orchestrator Service Hijack (#152 ) * [New Rule] - Persistence via Update Orchestrator Service Hijack * Update persistence_via_update_orchestrator_service_hijack.toml * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-09-29 18:53:05 +02:00
Samirbous	3ec2d92b42	[New Rule] - Potential Secure File Deletion using SDelete utility (#162 ) * [New Rule] - Potential Secure File Deletion using SDelete utility * Update defense_evasion_sdelete_like_filename_rename.toml * Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update defense_evasion_sdelete_like_filename_rename.toml * Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * linted Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 18:46:29 +02:00
Samirbous	206d666e7e	[New Rule] Microsoft IIS Connection Strings Decryption (#165 ) * [New Rule] Microsoft IIS Connection Strings Decryption" * Update credential_access_iis_connectionstrings_dumping.toml * Update credential_access_iis_connectionstrings_dumping.toml * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Linted * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 11:45:41 +02:00
Samirbous	a679207413	[New Rule] - Defense Evasion IIS HttpLogging Disabled (#142 ) * [New Rule] - Defense Evasion II HttpLogging Disabled * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update defense_evasion_iis_httplogging_disabled.toml * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Linted * Update rules/windows/defense_evasion_iis_httplogging_disabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-09-29 11:39:04 +02:00

1 2

86 Commits