security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
274 Commits 1 Branch 0 Tags
3e7be55a244f44fa69ef5ca3dc8df9ca163ff7f5
Commit Graph

66 Commits

Author SHA1 Message Date
Samirbous 3e7be55a24 [New Rule] UAC Bypass via Windows Firewall Snap-in Hijack (#376) 
* [New Rule] Bypass UAC via Windows Firewall Snap-in Hijack

* Delete workspace.xml

* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-18 20:36:59 +01:00
Samirbous 75ed0f8f92 [New Rule] UAC Bypass via ICMLuaUtil Elevated COM interface (#383) 
* [New Rule] Bypass UAC via ICMLuaUtil Elevated COM interface

* added tags

* Update privilege_escalation_uac_bypass_com_interface_icmluautil.toml

* adjusted args to avoid leading wildcard

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* replaced wildcard with In

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-11-18 20:34:10 +01:00
Samirbous 14270a5614 [New Rule] Persistence via MS Office Addins (#381) 
* [New Rule] Persistence via MS Office Addins

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* fixed extension and relaxed file.path

* updated references

* changed leading wildcard for perf

* Update rules/windows/persistence_ms_office_addins_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_ms_office_addins_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-18 20:27:01 +01:00
Samirbous 4547ee3750 [New Rule] Suspicious Execution - Short Program Name (#536) 
* [New Rule] Suspicious Execution - Short Program Name

* Update rules/windows/execution_suspicious_short_program_name.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:27:37 +01:00
Samirbous 4741f70fad [New Rule] Potential Remote Desktop Tunneling Detected (#374) 
* [New Rule] Remote Desktop Tunneling using SSH Plink Utility

* Update lateral_movement_rdp_tunnel_plink.toml

* Update lateral_movement_rdp_tunnel_plink.toml

* changed tags

* expanded condition to more than plink

there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R.

* Update lateral_movement_rdp_tunnel_plink.toml

* more args options

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:25:48 +01:00
Samirbous 14e36c2693 [New Rule] Security Software Discovery using WMIC (#387) 
* [New Rule] Security Software Discovery using WMIC

* added tags

* adjusted args for performance

avoiding leading wildcard in process args

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:23:28 +01:00
Samirbous ba4b8bc3e3 [New Rule] UAC Bypass via Elevated COM IEinstall (#450) 
* [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer

* Linted

* Update privilege_escalation_uac_bypass_com_ieinstal.toml

* adjusted executable path for better performance

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:21:15 +01:00
Samirbous 3af915ff49 [New Rule] Suspicious Cmd Execution via WMI (#389) 
* [New Rule] Suspicious Cmd Execution via WMI

* Update lateral_movement_suspicious_cmd_wmi.toml

* Update lateral_movement_suspicious_cmd_wmi.toml

* expanded process args for more coverage

* Update rules/windows/lateral_movement_suspicious_cmd_wmi.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-17 21:19:30 +01:00
Justin Ibarra f87f2a46f4 [Rule Tuning] Remove all rule timelines (#466) 2020-11-03 09:51:53 -09:00
Justin Ibarra da64bacac1 [Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452) 2020-11-02 14:12:20 -09:00
Brent Murphy 9838d3d2f7 [Rule Tuning] Remove duplicate rules after EQL conversion (#436) 
* [Rule Tuning] Remove duplicate rules after EQL conversion

* Update defense_evasion_rundll32_sequence.toml

* swap msxsl rules
 2020-10-30 15:49:28 -04:00
Justin Ibarra a575cf9ff3 [Rule Tuning] Use cidrMatch for eql rules checking multiple IPs (#431) 2020-10-29 11:06:24 -08:00
Justin Ibarra 0d3c35886c Remove connection type from endpoint network rules (#426) 2020-10-28 12:35:34 -08:00
Derek Ditch 580db2c13e Add timeline_id to detection rules (#95) 
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
    - Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
 2020-10-27 13:34:16 -05:00
seth-goodwin 2065af89b1 [Rule Tuning] Tag Categorization Updates (#380) 
* Add new categorization tags

* Change updated_date to 2020/10/26

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100
 2020-10-26 13:50:45 -05:00
Brent Murphy 2e422f7159 [Rule Tuning] Minor Rule Tweaks for 7.10 (#400) 
* Tweak Rules for 7.10

* Add endpoint index for packetbeat rules

* update unit test to account for Network tag as well

* update modified date, add endpoint tag

* use Host instead of Endpoint

* Update packaging.py

* add v back to changelog url

* Add "tag" comment to get_markdown_rule_info

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-10-22 09:07:04 -04:00
Justin Ibarra 0a992d716a [Rule Tuning] Update EQL rules for 7.10 (#399) 
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
 2020-10-21 12:35:18 -08:00
Justin Ibarra fd2d36573d Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name (#364) 2020-10-20 15:22:02 -08:00
Justin Ibarra d3226c72c9 Add test for tactic in rule filename (#398) 2020-10-20 14:48:33 -08:00
Kevin Logan f34c96f4dc [Rule Tuning][SECURITY_SOLUTION] rename Endpoint security (#355) 2020-10-05 09:55:15 -08:00
Justin Ibarra bf202b6b6c [New Rule] Initial converted EQL rules (#304) 
* 18 converted eql rules (not all prod)
 2020-09-30 21:40:55 -08:00
Justin Ibarra 2460333595 [Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351) 2020-09-30 16:16:04 -08:00
Samirbous d094c76534 [New Rule] Suspicious Zoom ChildProcess (#245) 2020-09-30 15:46:33 -08:00
Brent Murphy 83fb9bdf93 [Rule Tuning] Update event.code to category (#349) 2020-09-30 14:34:58 -08:00
Samirbous f15d179a50 [New Rule]- Credential Access - Domain DPAPI Backup key (#125) 
* new rule - credential access

Domain Backup DPAPI Private Keys Access

* Update credential_access_domain_backup_dpapi_private_keys.toml

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Linted

* added an extra reference

* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-29 21:14:07 +02:00
Samirbous c6519a2474 [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity (#146) 
* [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity

Same rule will detect exploitation behavior of CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300

* Update privilege_escalation_printspooler_service_suspicious_file.toml

* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Added references and changed file name to extension as it was closed as bug issue by endpoint dev team

* Update privilege_escalation_printspooler_service_suspicious_file.toml

* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-29 21:11:43 +02:00
Samirbous cccd91bc1a [New Rule] - Persistence via Update Orchestrator Service Hijack (#152) 
* [New Rule] - Persistence via Update Orchestrator Service Hijack

* Update persistence_via_update_orchestrator_service_hijack.toml

* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-29 18:53:05 +02:00
Samirbous 3ec2d92b42 [New Rule] - Potential Secure File Deletion using SDelete utility (#162) 
* [New Rule] - Potential Secure File Deletion using SDelete utility

* Update defense_evasion_sdelete_like_filename_rename.toml

* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update defense_evasion_sdelete_like_filename_rename.toml

* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* linted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-29 18:46:29 +02:00
Samirbous 206d666e7e [New Rule] Microsoft IIS Connection Strings Decryption (#165) 
* [New Rule] Microsoft IIS Connection Strings Decryption"

* Update credential_access_iis_connectionstrings_dumping.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Linted

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-29 11:45:41 +02:00
Samirbous a679207413 [New Rule] - Defense Evasion IIS HttpLogging Disabled (#142) 
* [New Rule] - Defense Evasion II HttpLogging Disabled

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Linted

* Update rules/windows/defense_evasion_iis_httplogging_disabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-29 11:39:04 +02:00
Samirbous 53484de986 [New Rule] - Creation of a new GPO Scheduled Task or Service (#126) 
* [New Rule] - Creation of a new GPO Scheduled Task or Service

* Update lateral_movement_gpo_schtask_service_creation.toml

* Update lateral_movement_gpo_schtask_service_creation.toml

* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update lateral_movement_gpo_schtask_service_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-29 10:54:24 +02:00
Samirbous 60adbbbb70 [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created (#148) 
* [New Rule] - Print Spooler PrivEsc - Suspicious SPL File Created

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* added ref and changed verb and replaced file.name with file.extension

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Linted and fixed tacttic to privesc

* Linted

* ref

* Update privilege_escalation_printspooler_suspicious_spl_file.toml

* Lint rule

* Update rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-29 10:17:36 +02:00
Samirbous fc3dcdf133 [New Rule] Unusual CommandShell Parent Process (#202) 
* [New Rule] Suspicious CommandShell Parent Process

* toml linted

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

* Update rules/windows/execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update execution_command_shell_started_by_unusual_process.toml

* Update execution_command_shell_started_by_unusual_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-28 23:15:26 +02:00
Justin Ibarra 065bcd8018 Refresh ATT&CK data to v7.2 and expand threat validation (#330) 
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
 2020-09-23 22:03:29 -08:00
Samirbous 87e1c92011 [New Rule] Unusual System Virtual Process Child Program (#181) 
* [New Rule] Unusual System Virtual Process Child Program

* Update defense_evasion_unusual_system_vp_child_program.toml

* Update defense_evasion_unusual_system_vp_child_program.toml

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:45:50 +02:00
Samirbous 431dcc17a4 [New Rule] Remote File Download via Desktopimgdownldr Utility (#249) 
* [New Rule] Remote File Download via Desktopimgdownldr Utility

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Lint rule

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:41:26 +02:00
Samirbous 9d884b6452 [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs (#253) 
* [New Rule] Potential DLL SideLoading via Trusted Microsoft Programs

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* Added 2 more known vulnerable programs Dism.exe and w3wp.exe

* Update defense_evasion_execution_suspicious_explorer_winword.toml

* linted

* Update rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 22:39:35 +02:00
Samirbous e2a0172d7d [New Rule] Remote File Download via MpCmdRun (#247) 
* [New Rule] Remote File Download via MpCmdRun

* added ref

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-09-22 14:44:48 +02:00
Samirbous f750b89201 [New Rule] Remote File Copy via TeamViewer (#241) 
* [New Rule] Remote File Copy via TeamViewer

* Update command_and_control_teamviewer_remote_file_copy.toml

* Update command_and_control_teamviewer_remote_file_copy.toml

* Update rules/windows/command_and_control_teamviewer_remote_file_copy.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:43:32 +02:00
Samirbous c2e95a35dc [New Rule] Evasion via Renamed AutoIt Scripts Interpreter (#234) 
* [New Rule] Evasion via Renamed AutoIt Scripts Interpreter

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update defense_evasion_masquerading_renamed_autoit.toml

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:39:04 +02:00
Samirbous 4948582d7c [New Rule] Mimikatz Memssp Logs File Detected (#228) 
* [New Rule] Mimikatz Memssp Logs File Detected

* Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_memssp_default_logs.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:37:40 +02:00
Samirbous 69b2f9f645 [New Rule] Code Injection - Suspicious Conhost Child Process (#226) 
* [New Rule] Code Injection - Suspicious Conhost Child Process

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/defense_evasion_code_injection_conhost.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:35:56 +02:00
Samirbous d43f814c19 [New Rule] Suspicious Elastic Endpoint Parent Process (#214) 
* [New Rule] Suspicious Elastic Endpoint Parent Process

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 14:34:11 +02:00
Samirbous 42247efc3b [New Rule] Suspicious WerFault Child Process (#212) 
* [New Rule] Suspicious WerFault Child Process

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* linted

* Update defense_evasion_masquerading_suspicious_werfault_childproc.toml

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-09-22 14:32:04 +02:00
Samirbous 96992b3ae6 [New Rule] Potential Process Masquerading as WerFault (#210) 
* [New Rule] Potential Process Masquerading as WerFault

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update defense_evasion_masquerading_werfault.toml

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:30:34 +02:00
Samirbous 52b6657d09 [New Rule] Suspicious .Net Compiler Parent Process (#208) 
* [New Rule] Suspicious dotNet Comilper Parent Process

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_suspicious_dotnet_compiler_parent_process.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 14:28:41 +02:00
Samirbous ae13adf0a9 [New Rule] Suspicious managed code hosting process (#204) 
* [New Rule] Suspicious managed code hosting process

* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update rules/windows/defense_evasion_suspicious_managedcode_host_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:27:03 +02:00
Samirbous 3890a90135 [Rule Tuning] Unusual Parent-Child Relationship (#185) 
* [Rule Tuning] Unusual Parent-Child Relationship

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml
 2020-09-22 14:25:27 +02:00
Samirbous 601a5a1e5b [New Rule] - Executable File Created by a System Critical Process (#183) 
* Unusual Executable File Creation by a System Critical Process

* Update defense_evasion_system_critical_proc_abnormal_file_activity.toml

* Update rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update defense_evasion_system_critical_proc_abnormal_file_activity.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-09-22 14:23:37 +02:00
Samirbous 2ce8c2833f [New Rule] Microsoft IIS Service Account Password Dumped (#167) 
* [New Rule] Microsoft IIS Service Account Password Dumped

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Linted

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-09-22 13:58:57 +02:00