security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2,056 Commits 1 Branch 0 Tags
37ea64baf451e6bb0fcc8215daffa8d98a8bd5b5
Commit Graph

662 Commits

Author SHA1 Message Date
Jonhnathan c4a427178b [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll (#3717) 
* [New Rule] Potential DNS Server Privilege Escalation via ServerLevelPluginDll

* Update privilege_escalation_dns_serverlevelplugindll.toml

* Update privilege_escalation_dns_serverlevelplugindll.toml

* Update rules/windows/privilege_escalation_dns_serverlevelplugindll.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 4eff7c6c87)
 2024-06-12 18:21:54 +00:00
Jonhnathan fff49e7f09 [Rule Tuning] User Added to Privileged Group (#3763) 
* [New Rule] User Added to Privileged Group

* add more groups

* Update rules/windows/persistence_user_account_added_to_privileged_group_ad.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update persistence_user_account_added_to_privileged_group_ad.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 087e8a6e85)
 2024-06-07 16:46:52 +00:00
shashank-elastic 06660cb2e1 Refresh MITRE Attack v15.1.0 (#3725) 
(cherry picked from commit e357a2c050)
 2024-06-04 14:48:18 +00:00
Samirbous 8975b5de18 Update impact_high_freq_file_renames_by_kernel.toml (#3707) 
(cherry picked from commit 603f3c313a)
 2024-05-23 17:03:14 +00:00
shashank-elastic 18fcd83683 Back-porting Version Trimming (#3704) 
(cherry picked from commit 63e91c2f12)
 2024-05-22 19:18:10 +00:00
Jonhnathan 0ab70f13a4 [Rule Tuning] Add Initial SentinelOne Compatibility to Windows DRs (#3627) 
* [Rule Tuning] Add Initial SentinelOne Compatibility

* updated definitions.py; updated tags; fixed unit tests

* added prerelease versions for s1 integration; updated build CLI commands to allow prerelease; bumped min-stacks

* updating manifests and integrations

* fixing flake errors

* min_stack

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit d023ad66b1)
 2024-05-20 12:59:37 +00:00
Jonhnathan ad7a8afb32 [Rule Tuning] Windows Service Installed via an Unusual Client (#3671) 
* [Rule Tuning] Windows Service Installed via an Unusual Client

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update rules/windows/privilege_escalation_windows_service_via_unusual_client.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 0eef7f62ff)
 2024-05-15 13:39:59 +00:00
Samirbous cbac37db59 [New] Unusual Execution via Microsoft Common Console File (#3663) 
* [New] Unusual Execution via Microsoft Common Console File

https://www.genians.co.kr/blog/threat_intelligence/facebook

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/execution_initial_access_via_msc_file.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update execution_initial_access_via_msc_file.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit a1ef8c9fc0)
 2024-05-14 14:16:02 +00:00
Samirbous 95fd920afe [New] Potential File Download via a Headless Browser (#3660) 
* [New] Potential File Download via a Headless Browser

* Update command_and_control_headless_browser.toml

* Update command_and_control_headless_browser.toml

* Update command_and_control_common_webservices.toml

* Update command_and_control_headless_browser.toml

* Update command_and_control_headless_browser.toml

(cherry picked from commit 83462a3087)
 2024-05-14 13:04:35 +00:00
Jonhnathan 2f88a93d62 [New Rule] Alternate Data Stream Creation at Volume Root Directory (#3517) 
* [New Rule] Alternate Data Stream Creation at Volume Root Directory

* Update defense_evasion_root_dir_ads_creation.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 6150f222b2)
 2024-05-13 11:42:34 +00:00
Jonhnathan 2e270cf78c [New Rule] Potential PowerShell HackTool Script by Author (#2472) 
* [New Rule] Potential PowerShell HackTool Script by Author

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update execution_posh_hacktool_authors.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit f85d7482fd)
 2024-05-09 16:08:45 +00:00
Samirbous ae6bb88edb [Tuning] Component Object Model Hijacking (#3655) 
* [Tuning] Component Object Model Hijacking

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

* Update persistence_suspicious_com_hijack_registry.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 7a61070e08)
 2024-05-08 16:52:11 +00:00
Samirbous 4bbb8c2642 [New] Ransomware over SMB (#3638) 
* [New] Ransomware over SMB

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_ransomware_file_rename_smb.toml

* ++

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_high_freq_file_renames_by_kernel.toml

* Update impact_ransomware_file_rename_smb.toml

* Update impact_ransomware_note_file_over_smb.toml

* Update impact_high_freq_file_renames_by_kernel.toml

(cherry picked from commit 4a2e2764cd)
 2024-05-07 05:46:07 +00:00
Samirbous 55a17e12db [New] Potential privilege escalation via CVE-2022-38028 (#3616) 
* [New] Potential privilege escalation via CVE-2022-38028

https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

* Update privilege_escalation_exploit_cve_202238028.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 8f6de1c235)
 2024-04-29 14:18:06 +00:00
Terrance DeJesus bda38d6f27 updating performance note (#3608) 
(cherry picked from commit 69d42ecc71)
 2024-04-18 20:43:50 +00:00
Jonhnathan fea73c9686 [New Rule] Potential Windows Session Hijacking via CcmExec (#3602) 
* [New Rule] Potential Windows Session Hijacking via CcmExec

* Update rules/windows/defense_evasion_sccm_scnotification_dll.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 6ae0902a38)
 2024-04-18 16:05:03 +00:00
Jonhnathan 4562d694b0 [Rule Tuning] Further Tight up Elastic Defend Index Patterns (#3584) 
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 5004ff115c)
 2024-04-16 16:34:23 +00:00
Jonhnathan e33d80804f [Rule Tuning] Windows BBR Promotion (#3577) 
* [Rule Tuning] Windows BBR Promotion

* Update non-ecs-schema.json

* Update persistence_netsh_helper_dll.toml

* Update persistence_werfault_reflectdebugger.toml

* Update privilege_escalation_unquoted_service_path.toml

* Update defense_evasion_msdt_suspicious_diagcab.toml

* Update defense_evasion_suspicious_msiexec_execution.toml

* Update discovery_security_software_wmic.toml

* Revert "Update defense_evasion_msdt_suspicious_diagcab.toml"

This reverts commit 0e1f3ea3e18a146c421a5bda784633cca4a2b0c0.

* Revert "Update defense_evasion_suspicious_msiexec_execution.toml"

This reverts commit 4e26a167774ad712d19334a4c2c712cc1d550e7f.

* Revert "Update discovery_security_software_wmic.toml"

This reverts commit d638cec354a46cacab1e62596f4ad939a1d9c32a.

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit c2d1586270)
 2024-04-16 12:36:20 +00:00
Samirbous f291aa105d Update defense_evasion_untrusted_driver_loaded.toml (#3596) 
excluding `errorCode_endpoint:*` status (noisy)

(cherry picked from commit 919a438257)
 2024-04-15 14:00:51 +00:00
Samirbous 52e86dc8e8 [Tuning] Connection to Commonly Abused Web Services (#3587) 
excluding top noisy patterns :

- Microsoft signed binaries connecting to graph.microsoft.com and sharepoint.com
- Slack, Dropbox and other signed binaries.
- github.com (removed), most abused is rawgithub dns.question.name for ingress-script/payload download

(cherry picked from commit 9692e59abb)
 2024-04-11 11:18:52 +00:00
Jonhnathan 74d428b09e [Rule Tuning] Svchost spawning Cmd (#3578) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit aa0cc42ff6)
 2024-04-08 10:57:52 +00:00
Jonhnathan eca9b72a2c [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution (#3545) 
* [Rule Tuning] First Time Seen Commonly Abused Remote Access Tool Execution

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update command_and_control_new_terms_commonly_abused_rat_execution.toml

* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 4ab7c9b178)
 2024-04-02 14:15:05 +00:00
Samirbous 6cf92b25d3 [Tuning] Connection to Commonly Abused Web Services (#3425) 
* Update command_and_control_common_webservices.toml

* Update command_and_control_common_webservices.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 69173872da)
 2024-04-02 13:49:39 +00:00
Samirbous 22857aca2e [New Rule] Suspicious Access to LDAP Attributes (#2504) 
* Create discovery_high_number_ad_properties.toml

* Update discovery_high_number_ad_properties.toml

* Update rules/windows/discovery_high_number_ad_properties.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update rules/windows/discovery_high_number_ad_properties.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* fixed tags; moved note to setup, updated date

* Update discovery_high_number_ad_properties.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>

(cherry picked from commit f025616cbd)
 2024-04-02 13:05:41 +00:00
Jonhnathan 5a18a6cea2 [Rule Tuning] Potential Application Shimming via Sdbinst (#3553) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit c781376188)
 2024-04-02 09:43:02 +00:00
Jonhnathan 21f23f6d33 [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) 
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules

* Delete test.pkl

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit b47b91b9ec)
 2024-04-01 23:52:53 +00:00
Jonhnathan 7838042839 [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) 
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions

* update min_stack

* build out schema in more detail for Filters

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Remove enum for definition

* remove unused import

* remove $state store

* transform state

* add call to super

* add return type hint

* use dataclass metadata

* use Literal type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Removed changes from:
- rules/windows/collection_mailbox_export_winlog.toml
- rules/windows/collection_posh_clipboard_capture.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/execution_posh_hacktool_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml
- rules_building_block/discovery_posh_generic.toml
- rules_building_block/lateral_movement_posh_winrm_activity.toml

(selectively cherry picked from commit 67ca13c1ce)
 2024-04-01 20:53:09 +00:00
Jonhnathan 5a7d7cf4a0 [New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543) 
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script

* Update credential_access_posh_relay_tools.toml

* Update execution_posh_hacktool_functions.toml

* Update credential_access_posh_relay_tools.toml

* Update credential_access_posh_relay_tools.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 218c3bead6)
 2024-03-28 10:16:03 +00:00
Jonhnathan c871bbb6d6 [New Rule] Creation of a DNS-Named Record (#3539) 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c3b4)
 2024-03-27 21:28:37 +00:00
Jonhnathan 06dcbb80f5 [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation (#3535) 
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation

* Update credential_access_adidns_wildcard.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 67e9ebf8e1)
 2024-03-27 13:15:24 +00:00
Samirbous bfd3289680 [New] Suspicious Execution via ScreenConnect (#3541) 
* [New] Suspicious Execution via ScreenConnect

- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)

* Update command_and_control_screenconnect_childproc.toml

* Update rules/windows/initial_access_webshell_screenconnect_server.toml

* Update rules/windows/command_and_control_screenconnect_childproc.toml

* Update rules/windows/command_and_control_screenconnect_childproc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_screenconnect_childproc.toml

* Update command_and_control_screenconnect_childproc.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit d7aff43621)
 2024-03-27 12:02:12 +00:00
ALEXANDER MA COTE e388aaf409 fix typo in lateral_movement_remote_services.toml (#3538) 
(cherry picked from commit 138447221f)
 2024-03-27 10:46:36 +00:00
Ruben Groenewoud 75a0a3f338 [Rule Tuning] Scheduled Task Activity via pwsh (#3534) 
(cherry picked from commit 760b99bcc1)
 2024-03-26 13:53:05 +00:00
Samirbous 5ce96738c4 [New] Suspicious JetBrains TeamCity Child Process (#3532) 
* [New] Suspicious JetBrains TeamCity  Child Process

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

(cherry picked from commit fc76a8bcb5)
 2024-03-25 16:40:44 +00:00
Jonhnathan b6aff9b2e5 [New Rules] Veeam Credential Access DRs (#3516) 
* [New Rules] Veeam Credential Access DRs

* bump

* Update credential_access_veeam_commands.toml

* Update credential_access_veeam_backup_dll_imageload.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update credential_access_veeam_commands.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 779fa7710d)
 2024-03-21 13:09:29 +00:00
Jonhnathan 22ed934946 [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) 
* Initial commit

* Date bump

(cherry picked from commit f5254f3b5e)
 2024-03-13 13:33:15 +00:00
Jonhnathan 9101dfc064 [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules

(cherry picked from commit 458e67918a)
 2024-03-11 12:15:22 +00:00
Jonhnathan aebe64a42b [Rule Tuning] DR Performance-Poor Rules (#3399) 
* [Rule Tuning] DR Performance

* .

* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update persistence_startup_folder_scripts.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit edf4da8526)
 2024-03-11 11:56:05 +00:00
sbousseaden fb835e396d [Tuning] Tuning Windows - 3 Rules (#3388) 
* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 853e18950f)
 2024-02-20 16:01:52 +00:00
Samirbous 144754c8a5 [New] Suspicious Execution from INET Cache (#3445) 
* Create initial_access_execution_from_inetcache.toml

* Update initial_access_execution_from_inetcache.toml

(cherry picked from commit 4809de6584)
 2024-02-15 19:19:30 +00:00
Jonhnathan a864d77e0a [Rule Tuning] Windows BBR Tuning - 5 (#3385) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 97e49795ab)
 2024-02-14 13:28:21 +00:00
Jonhnathan 0c0a5bdaad [Rule Tuning] Windows BBR Tuning - 2 (#3381) 
* [Rule Tuning] Windows BBR Tuning - 2

* Update defense_evasion_masquerading_windows_system32_exe.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit ae00f30574)
 2024-02-14 13:03:47 +00:00
Jonhnathan 4ac56fbd40 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#3432) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 21b559c97f)
 2024-02-08 09:32:22 +00:00
Samirbous 66458bd33d Update lateral_movement_remote_task_creation_winlog.toml (#3419) 
(cherry picked from commit 6906a27c3a)
 2024-02-05 18:41:54 +00:00
Jonhnathan 67acfbae4d [Rule Tuning] Windows BBR Tuning - 1 (#3380) 
* [Rule Tuning] Windows BBR Tuning - 1

* .

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 8274f9a816)
 2024-02-05 15:52:57 +00:00
Jonhnathan 5edd21a169 [Rule Tuning] Startup or Run Key Registry Modification (#3367) 
(cherry picked from commit edd3556b63)
 2024-02-05 15:33:38 +00:00
Samirbous 41ee5b7509 [New] Potential Enumeration via Active Directory Web Service (#3416) 
* Create discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

(cherry picked from commit 5a68ccfd0d)
 2024-02-02 14:24:50 +00:00
Jonhnathan 332afabf04 [Rule Tuning] Potential Modification of Accessibility Binaries (#3401) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 50df6f3e9b)
 2024-02-01 14:32:00 +00:00
Samirbous 50be89783c [Tuning] DCSync Rules - 4662 event.action (#3410) 
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml

(cherry picked from commit d7f4d7972e)
 2024-01-30 11:48:48 +00:00
Jonhnathan 9ce2cdf675 [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml

(cherry picked from commit 92804343bc)
 2024-01-23 19:54:02 +00:00