security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,693 Commits 1 Branch 0 Tags
3351e87789bdfb288db7a78e2dc5bbf42f10a8a2
Commit Graph

568 Commits

Author SHA1 Message Date
Jonhnathan 788f2ce884 [Rule Tuning] PowerShell Rules Tuning (#3169) 
(cherry picked from commit 3f2a709370)
 2023-10-11 21:03:44 +00:00
Ruben Groenewoud f66b82c0ec [Tuning] Windows Execution Rule Tuning for UEBA (#3107) 
* Update defense_evasion_execution_msbuild_started_by_script.toml

* Mostly updated Execution tags, also new_terms conv

* removed index

* Removed index

* WMIPrvSE tuning

* Additional tuning

* Tuning & changes

* Additional tuning

* Applied unit test optimization

* Addressed feedback

* Update rules/windows/execution_command_shell_started_by_svchost.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* caseless unit testing fix

* fixed caseless executable unit test

* unit testing fix

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml

* Added user ids to new terms

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/execution_unsigned_service_executable.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update execution_unsigned_service_executable.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit c2822e175c)
 2023-10-11 08:21:37 +00:00
Ruben Groenewoud d4d794b586 [Tuning] Windows Discovery Rule Tuning for UEBA (#3097) 
* [Tuning] Win DR Tuning for UEBA

* Need to get used to Windows formatting

* Added additional content

* Updated min stack

* Added additional tuning

* Fixed unit testing for KQL optimization

* Update rules_building_block/discovery_internet_capabilities.toml

* Additional tuning

* Kuery optimization

* Additional tuning

* Additional tuning

* Additional tuning

* Additional tuning

* Unit testing optimization fix

* optimization

* tuning

* Optimization

* Update rules/windows/discovery_privileged_localgroup_membership.toml

* Added feedback

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_remote_system_discovery_commands_windows.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_system_service_discovery.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* added host.id as additional new_terms field

* Reworked a lot.

* kibana.alert.rule.rule_id to non-ecs-schema.json

* Fixed index by adding a dot

* fixed typo

* Added host.os.type:windows for signals

* Added additional tag

* Added Higher-Order Rule tag

* Stripped down signal rules down to two

* revert

* Update rules/windows/discovery_admin_recon.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_enumerating_domain_trusts_via_nltest.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_generic_registry_query.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules_building_block/discovery_system_time_discovery.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/discovery_privileged_localgroup_membership.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update discovery_generic_registry_query.toml

* Readded exclusions

* Added trailing wildcards for KQL

* Update discovery_privileged_localgroup_membership.toml

* Update rules_building_block/discovery_signal_unusual_user_host.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_signal_unusual_discovery_signal_proc_cmdline.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Formatting fix

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 4cdf52129a)
 2023-10-11 07:49:08 +00:00
Terrance DeJesus 54303f84fc adjusting minimum stack version for version control (#3154) 
(cherry picked from commit 8d2b730bc5)
 2023-10-03 17:41:45 +00:00
Hilton 0bc9b126f6 Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity (#3091) 
* Tunes Unusual Parent Process for cmd.exe rule to exclude oobe activity

When dllhost.exe is called with the "/Processid:{CA8C87C1-929D-45BA-94DB-EF8E6CB346AD}" argument it is creating an "OOBE Elevated Object Server"  as per https://strontic.github.io/xcyclopedia/library/clsid_ca8c87c1-929d-45ba-94db-ef8e6cb346ad.html

Out of the box experience is part of the Windows autopilot and therefore should be legitimate behaviour.

* simplified detection logic by utilising process.parent.args

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ccfc931fbd)
 2023-09-13 16:56:38 +00:00
Jonhnathan 711e0f3ab7 [New Rule] New BBR Rules - Part 2 (#3029) 
* [New Rule] New BBR Rules - Part 2

* Update discovery_generic_account_groups.toml

* Update discovery_generic_account_groups.toml

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/execution_downloaded_shortcut_files.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules_building_block/defense_evasion_cmd_copy_binary_contents.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update rules_building_block/defense_evasion_unusual_process_extension.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

* Update defense_evasion_unusual_process_extension.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit ddb1f75352)
 2023-09-13 00:54:52 +00:00
Jonhnathan 4b2112f4a0 [New Rule] New BBR Rules - Part 3 (#3034) 
* [New Rule] New BBR Rules - Part 3

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit af99186992)
 2023-09-13 00:34:12 +00:00
Jonhnathan e9b1ebae3f [New Rule] New BBR Rules - Part 5 (#3052) 
* [New Rule] New BBR Rules - Part 5

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Tag work

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 3614f42b00)
 2023-09-05 21:42:38 +00:00
Jonhnathan 063386829c [Security Content] Include "Data Source: Elastic Defend" tag (#3002) 
* win folder

* Other folders

* Update test_all_rules.py

* .

* updated missing elastic defend tags

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit 4233fef238)
 2023-09-05 18:28:40 +00:00
Jonhnathan 6c074f21d8 [New Rule][BBR] WRITEDAC Access on Active Directory Object (#3015) 
* [New Rule] WRITEDAC Access on Active Directory Object

* Update defense_evasion_write_dac_access.toml

* Fix Setup Instructions

* Update defense_evasion_write_dac_access.toml

* Update rules_building_block/defense_evasion_write_dac_access.toml

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit fdd45148b8)
 2023-08-31 16:04:58 +00:00
Eric 4a4588c856 Tune rule for new DLL written to Windows Servicing (#3062) 
(cherry picked from commit 41a7a36817)
 2023-08-30 16:57:00 +00:00
Jonhnathan d45b693e20 [New Rule] Suspicious WMI Event Subscription Created (#1860) 
* Suspicious WMI Event Subscription Initial rule

* Use EQL sequence

* Update non-ecs-schema

* Update persistence_sysmon_wmi_event_subscription.toml

* update description

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* update query too look for even code 21 only

* update to case sensitive compare

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update rules/windows/persistence_sysmon_wmi_event_subscription.toml

* Update non-ecs-schema.json

* Update persistence_sysmon_wmi_event_subscription.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 6d7df50d78)
 2023-08-29 19:48:03 +00:00
Jonhnathan 374ac8ad1c [New Rule] Unusual Process For MSSQL Service Accounts (#3040) 
* [New Rule] Unusual Process For MSSQL Service Accounts

* Update initial_access_unusual_process_sql_accounts.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update collection_archive_data_zip_imageload.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update initial_access_unusual_process_sql_accounts.toml

* Update rules_building_block/initial_access_unusual_process_sql_accounts.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

added   "vpnbridge.exe", "certutil.exe" and "bitsadmin.exe" to rule scope.

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 7004c99ef5)
 2023-08-29 12:16:12 +00:00
Samirbous d0d092a036 Update credential_access_lsass_openprocess_api.toml (#3047) 
(cherry picked from commit 22931d6afb)
 2023-08-28 15:28:09 +00:00
Jonhnathan c067542e13 [Rule Tuning] High Number of Process and/or Service Terminations (#2940) 
(cherry picked from commit de32287889)
 2023-08-25 22:25:19 +00:00
Terrance DeJesus 10fa921c84 [Rule Tuning] Ignore Windows Update MpSigStub.exe for Parent Process PID Spoofing (#3025) 
* adding tuning to ignore windows update

* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 2ddcf7817e)
 2023-08-22 17:10:02 +00:00
Jonhnathan 121134347a [Rule Tuning] PowerShell Keylogging Script (#3023) 
(cherry picked from commit 0c3b251208)
 2023-08-22 10:50:44 +00:00
Samirbous 3534b37ba6 [Tuning] Improve Performance (#2953) 
* [Tuning] Improve Performance

Remote Computer Account DnsHostName Update : sequence not needed, removed auth event to improve rule execution time.

Potential Remote Credential Access via Registry : removed sequence, since user.id is reported as std user SID (svchost is impersonating a remote user), and reduced file.path to known bad (based on observed TPs)

* Update privilege_escalation_suspicious_dnshostname_update.toml

* ++

* ++

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 5e801b2edf)
 2023-08-21 15:29:47 +00:00
Jonhnathan 8058b4054c [New Rule] PowerShell Kerberos Ticket Dump (#2967) 
* [New Rule] PowerShell Kerberos Ticket Dump

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

* Update rules/windows/credential_access_posh_kerb_ticket_dump.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 72f15dda6a)
 2023-08-20 20:34:43 +00:00
Joe Desimone 27e246bd5e [Rule Tuning] Privileges Elevation via Parent Process PID Spoofing (#2873) 
* Update privilege_escalation_via_ppid_spoofing.toml

* Update privilege_escalation_via_ppid_spoofing.toml

* bump date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit b5e011a892)
 2023-08-17 16:58:24 +00:00
Jonhnathan 7c4ca0a4a3 [New Rule] Building Block Rules - Part 2 (#2923) 
* [New Rule] Building Block Rules - Part 2

* .

* Update rules_building_block/defense_evasion_dll_hijack.toml

* Update rules_building_block/defense_evasion_file_permission_modification.toml

* Update rules_building_block/discovery_posh_password_policy.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 9144dc0448)
 2023-08-17 16:06:41 +00:00
Jonhnathan 96e50be5a6 [Rule Tuning] Potential Masquerading as Communication Apps (#2997) 
* [Rule Tuning] Potential Masquerading as Communication Apps

* Update defense_evasion_masquerading_communication_apps.toml

* Update persistence_run_key_and_startup_broad.toml

* CI

* Revert "CI"

This reverts commit f43d9388dadb158d6cb63e84d2f1edcf2162bfb0.
 2023-08-16 09:34:21 -03:00
Ali Alwashali f500cec497 fixing typo in 127.0.0.1 address (#3004) 2023-08-08 17:06:26 +02:00
Eric 1e769c51b6 Tune Unusual File Activity ADS for Teams weblogs (#2929) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-31 10:41:31 -03:00
Eric d0d99829a2 Correct misspelling of AppDara to AppData (#2952) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-07-26 08:10:03 -03:00
Jonhnathan 5e714e01e6 [Security Content] Add Windows Investigation Guides (#2825) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

* Add IG Tag

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

---------

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-19 08:07:01 -03:00
Jonhnathan 23a133121d [Rule Tuning] Add HackTool Keywords to PowerShell Rules (#2932) 2023-07-18 08:55:59 -03:00
Jonhnathan fca8bcc071 [Rule Tuning] PowerShell Rule Tunings (#2907) 
* [Rule Tuning] PowerShell Rule Tunings

* bump
 2023-07-14 15:41:36 -03:00
Terrance DeJesus cd7a52f1b1 [Rule Tuning] Lock Rules with Different Required Fields Related to 8.9.1 Release (#2895) 
* forking rules with version collisions

* Update rules/windows/credential_access_lsass_handle_via_malseclogon.toml

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_generic.toml

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml
 2023-07-06 10:39:20 -04:00
Eric df0a1facd1 [WMI Incoming Lateral Movement] Modify Existing Query Exception (#2843) 
* Tune WMI Incoming Lateral Movement

* Tune WMI Incoming Lateral Movement

* Bump updated_date

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 17:12:05 -04:00
Eric f78de8c9d4 Add MS Office exceptions to query (#2836) 
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-07-03 16:09:17 -04:00
Eric 35ea2727dc [Suspicious Antimalware Scan Interface DLL] Additional Query Exception for Windows Upgrades (#2850) 2023-06-30 18:01:35 -04:00
Samirbous 7aa8a7b5fb [Rules Tuning] diverse tuning (#2506) 
* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_powershell_remoting_target.toml

* Update credential_access_saved_creds_vault_winlog.toml

* Update lateral_movement_remote_services.toml

* Update lateral_movement_incoming_winrm_shell_execution.toml

* Update lateral_movement_rdp_enabled_registry.toml

* Update persistence_scheduled_task_updated.toml

* Update persistence_scheduled_task_updated.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update privilege_escalation_persistence_phantom_dll.toml

* Update rules/windows/persistence_scheduled_task_updated.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-30 18:57:00 +01:00
Jonhnathan d5dddae0ef [Rule Tuning] Suspicious PowerShell Engine ImageLoad (#2721) 
* [Rule Tuning] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/execution_suspicious_powershell_imgload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-06-30 10:56:13 -03:00
Samirbous 2a4749d3d0 [New Rule] New Term Rule for USB Devices (#2644) 
* Create

* Update initial_access_first_time_seen_usb_name.toml

* Update rules/windows/initial_access_first_time_seen_usb_name.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/initial_access_first_time_seen_usb_name.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update initial_access_first_time_seen_usb_name.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

* Update rules/windows/initial_access_exfiltration_first_time_seen_usb.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-30 10:41:38 -03:00
Jonhnathan a7e605a0e5 [Rule Tuning] [BUG] Revert PowerShell Query modifications from #2823 (#2889) 
* Revert query mods done in https://github.com/elastic/detection-rules/pull/2823

* Add exception to unit test

* fixed linting

* proper linting fix

* updated to add to definitions.py

* fix linting

---------

Co-authored-by: eric-forte-elastic <eric.forte@elastic.co>
 2023-06-28 15:55:43 -03:00
eric-forte-elastic aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) 
* Fixed kql -> kuery in test_all_rule_queries_opt...

* all queries optimized

* manually reconciled all rules that failed due to toml escaped chars

* merge rules from main

* Rules needing optimization

* Fix optimized note

* fix another note

* another note fix

* fixing whitespace

* Updated for readability

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-23 10:58:31 -04:00
Jonhnathan b4c84e8a40 [Security Content] Tags Reform (#2725) 
* Update Tags

* Bump updated date separately to be easy to revert if needed

* Update resource_development_ml_linux_anomalous_compiler_activity.toml

* Apply changes from the discussion

* Update persistence_init_d_file_creation.toml

* Update defense_evasion_timestomp_sysmon.toml

* Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml

* Update missing Tactic tags

* Update unit tests to match new tags

* Add missing IG tags

* Delete okta_threat_detected_by_okta_threatinsight.toml

* Update command_and_control_google_drive_malicious_file_download.toml

* Update persistence_rc_script_creation.toml

* Mass bump

* Update persistence_shell_activity_by_web_server.toml

* .

---------

Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-06-22 18:38:56 -03:00
Eric 1e404cde34 [Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to query exceptions (#2831) 
* Add Ssms.exe to query exceptions

* Changed updated_date

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-06-12 16:15:47 -03:00
Jonhnathan 665bf03ec0 [Rule Tuning] Remote System Discovery Commands (#2834) 2023-06-07 14:24:53 -03:00
Eric 601788c4df Added Outlook.exe as a query exception (#2814) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-06-06 17:47:25 +01:00
Eric 221e756b48 Adjusted exceptions to rule for Nessus (#2774) 
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
 2023-06-06 17:39:34 +01:00
Jonhnathan 05aac4f371 [Security Content] Add Investigation Guides to Windows rules (#2678) 
* [Security Content] Add Investigation Guides to Windows rules

* Update privilege_escalation_service_control_spawned_script_int.toml

* Update execution_reverse_shell_via_named_pipe.toml

* Apply suggestions from code review

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update execution_command_prompt_connecting_to_the_internet.toml

---------

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com>
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
 2023-05-26 10:25:41 -03:00
Jonhnathan 0b3f603179 [Rule Tuning] Adding Hidden File Attribute via Attrib (#2726) 
* [New Rule] Adding Hidden File Attribute via Attrib

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-17 10:23:11 -03:00
Jonhnathan 9f734c2c1f [Rule Tuning] System Information Discovery via Windows Command Shell (#2741) 2023-05-17 09:58:21 -03:00
Jonhnathan d017156454 [Rule Tuning] Make Rules Compatible with Windows Forwarded Logs (#2761) 
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update test_all_rules.py

* Update test_all_rules.py

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
 2023-05-15 20:31:59 -03:00
Jonhnathan 6655932190 [Rule Tuning] Startup or Run Key Registry Modification (#2766) 
* [Rule Tuning] Startup or Run Key Registry Modification

* Update persistence_run_key_and_startup_broad.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
 2023-05-04 09:42:12 -03:00
Terrance DeJesus d5350ae6e0 [New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) (#2685) 
* adding initial rule

* changed new terms to host.id

* removed windows integration tag

* removed windows integration tag

* changed rule to be process started related

* rule linted

* updating description

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

* added process.name.caseless to non-ecs.json

* removed host type related to #2761

* added host.os.type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
 2023-05-02 23:09:17 -04:00
Samirbous 2eda02c10e [Rule Tuning] Multiple Logon Failure from the same Source Address (#2588) 
* Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
 2023-04-24 09:16:17 -03:00
Jonhnathan 84acf004da [Rule Tuning] Component Object Model Hijacking (#2730) 2023-04-21 18:43:02 -03:00