security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,933 Commits 1 Branch 0 Tags
4eac68bb07c75ebc22bfe93e5c81b35d2c048047
Commit Graph

637 Commits

Author SHA1 Message Date
Jonhnathan 4eac68bb07 [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules (#3549) 
* [Rule Tuning] Tighten up Indexes of Elastic Defend Windows Rules

* Delete test.pkl

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit b47b91b9ec)
 2024-04-01 23:52:07 +00:00
Jonhnathan 9cba1e96e6 [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions (#3505) 
* [Rule Tuning] Replace KQL exceptions for Query DSL Exceptions

* update min_stack

* build out schema in more detail for Filters

* Update detection_rules/rule.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Remove enum for definition

* remove unused import

* remove $state store

* transform state

* add call to super

* add return type hint

* use dataclass metadata

* use Literal type

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Removed changes from:
- rules/windows/collection_mailbox_export_winlog.toml
- rules/windows/collection_posh_clipboard_capture.toml
- rules/windows/defense_evasion_posh_assembly_load.toml
- rules/windows/defense_evasion_posh_compressed.toml
- rules/windows/discovery_posh_suspicious_api_functions.toml
- rules/windows/discovery_privileged_localgroup_membership.toml
- rules/windows/execution_posh_hacktool_functions.toml
- rules/windows/execution_posh_psreflect.toml
- rules_building_block/collection_posh_compression.toml
- rules_building_block/defense_evasion_powershell_clear_logs_script.toml
- rules_building_block/discovery_posh_generic.toml
- rules_building_block/lateral_movement_posh_winrm_activity.toml

(selectively cherry picked from commit 67ca13c1ce)
 2024-04-01 20:52:24 +00:00
Jonhnathan 24d4cdaf5d [New Rules] Potential PowerShell Pass-the-Hash/Relay Script (#3543) 
* [New Rules] Potential PowerShell Pass-the-Hash/Relay Script

* Update credential_access_posh_relay_tools.toml

* Update execution_posh_hacktool_functions.toml

* Update credential_access_posh_relay_tools.toml

* Update credential_access_posh_relay_tools.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 218c3bead6)
 2024-03-28 10:15:17 +00:00
Jonhnathan f217aed00d [New Rule] Creation of a DNS-Named Record (#3539) 
* [New Rule] Creation of a DNS-Named Record

* Update credential_access_dnsnode_creation.toml

* Update rules/windows/credential_access_dnsnode_creation.toml

(cherry picked from commit 954a93c3b4)
 2024-03-27 21:27:49 +00:00
Jonhnathan fff1170ffc [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation (#3535) 
* [New Rule] Potential ADIDNS Poisoning via Wildcard Record Creation

* Update credential_access_adidns_wildcard.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 67e9ebf8e1)
 2024-03-27 13:14:33 +00:00
Samirbous 09b2ff76a9 [New] Suspicious Execution via ScreenConnect (#3541) 
* [New] Suspicious Execution via ScreenConnect

- Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns)
- ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server)

* Update command_and_control_screenconnect_childproc.toml

* Update rules/windows/initial_access_webshell_screenconnect_server.toml

* Update rules/windows/command_and_control_screenconnect_childproc.toml

* Update rules/windows/command_and_control_screenconnect_childproc.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update command_and_control_screenconnect_childproc.toml

* Update command_and_control_screenconnect_childproc.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit d7aff43621)
 2024-03-27 12:01:14 +00:00
ALEXANDER MA COTE 28b6e2c042 fix typo in lateral_movement_remote_services.toml (#3538) 
(cherry picked from commit 138447221f)
 2024-03-27 10:45:46 +00:00
Ruben Groenewoud 155ac20303 [Rule Tuning] Scheduled Task Activity via pwsh (#3534) 
(cherry picked from commit 760b99bcc1)
 2024-03-26 13:52:17 +00:00
Samirbous 9fa3292200 [New] Suspicious JetBrains TeamCity Child Process (#3532) 
* [New] Suspicious JetBrains TeamCity  Child Process

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

* Update initial_access_exploit_jetbrains_teamcity.toml

(cherry picked from commit fc76a8bcb5)
 2024-03-25 16:39:58 +00:00
Jonhnathan 7f3799319d [New Rules] Veeam Credential Access DRs (#3516) 
* [New Rules] Veeam Credential Access DRs

* bump

* Update credential_access_veeam_commands.toml

* Update credential_access_veeam_backup_dll_imageload.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Update credential_access_veeam_commands.toml

* Update rules/windows/credential_access_veeam_backup_dll_imageload.toml

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 779fa7710d)
 2024-03-21 13:08:44 +00:00
Jonhnathan b43003c3f1 [Rule Tuning] Improve Compatibility in WIndows Detection Rules - Part 1 (#3501) 
* Initial commit

* Date bump

(cherry picked from commit f5254f3b5e)
 2024-03-13 13:32:43 +00:00
Jonhnathan b1989a921b [Security Content] Small tweaks on the setup guides (#3308) 
* [Security Content] Small tweaks on the setup guides

* Additional Fixes

* Avoid touching deprecated rules

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml
- rules/linux/discovery_process_capabilities.toml
- rules/linux/privilege_escalation_dac_permissions.toml
- rules/linux/privilege_escalation_enlightenment_window_manager.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_elevation.toml
- rules/linux/privilege_escalation_gdb_sys_ptrace_netcon.toml
- rules/linux/privilege_escalation_suspicious_chown_fowner_elevation.toml
- rules/linux/privilege_escalation_suspicious_uid_guid_elevation.toml
- rules_building_block/discovery_capnetraw_capability.toml
- rules_building_block/persistence_cap_sys_admin_added_to_new_binary.toml

(selectively cherry picked from commit 458e67918a)
 2024-03-11 12:14:53 +00:00
Jonhnathan 5cec5b7f31 [Rule Tuning] DR Performance-Poor Rules (#3399) 
* [Rule Tuning] DR Performance

* .

* Update rules/cross-platform/lateral_movement_remote_file_creation_in_sensitive_directory.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/persistence_registry_uncommon.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update lateral_movement_remote_file_creation_in_sensitive_directory.toml

* Update persistence_startup_folder_scripts.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit edf4da8526)
 2024-03-11 11:55:35 +00:00
sbousseaden fc6c50418b [Tuning] Tuning Windows - 3 Rules (#3388) 
* Update privilege_escalation_newcreds_logon_rare_process.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_make_token_local.toml

* Update privilege_escalation_create_process_with_token_unpriv.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 853e18950f)
 2024-02-20 16:01:23 +00:00
Samirbous 1192e62006 [New] Suspicious Execution from INET Cache (#3445) 
* Create initial_access_execution_from_inetcache.toml

* Update initial_access_execution_from_inetcache.toml

(cherry picked from commit 4809de6584)
 2024-02-15 19:19:02 +00:00
Jonhnathan 9577e2a4d8 [Rule Tuning] Windows BBR Tuning - 5 (#3385) 
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 97e49795ab)
 2024-02-14 13:27:51 +00:00
Jonhnathan adcf721ae3 [Rule Tuning] Windows BBR Tuning - 2 (#3381) 
* [Rule Tuning] Windows BBR Tuning - 2

* Update defense_evasion_masquerading_windows_system32_exe.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit ae00f30574)
 2024-02-14 13:03:13 +00:00
Jonhnathan d8dfbeade4 [Rule Tuning] Suspicious Antimalware Scan Interface DLL (#3432) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 21b559c97f)
 2024-02-08 09:31:50 +00:00
Samirbous 3a3245f872 Update lateral_movement_remote_task_creation_winlog.toml (#3419) 
(cherry picked from commit 6906a27c3a)
 2024-02-05 18:41:20 +00:00
Jonhnathan 59bb8e5ce0 [Rule Tuning] Windows BBR Tuning - 1 (#3380) 
* [Rule Tuning] Windows BBR Tuning - 1

* .

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit 8274f9a816)
 2024-02-05 15:52:27 +00:00
Jonhnathan f58d793dca [Rule Tuning] Startup or Run Key Registry Modification (#3367) 
(cherry picked from commit edd3556b63)
 2024-02-05 15:33:05 +00:00
Samirbous 509ba1bf06 [New] Potential Enumeration via Active Directory Web Service (#3416) 
* Create discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

* Update discovery_active_directory_webservice.toml

(cherry picked from commit 5a68ccfd0d)
 2024-02-02 14:24:18 +00:00
Jonhnathan e626ee0a2b [Rule Tuning] Potential Modification of Accessibility Binaries (#3401) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 50df6f3e9b)
 2024-02-01 14:31:32 +00:00
Samirbous 74182d5dfa [Tuning] DCSync Rules - 4662 event.action (#3410) 
* Update credential_access_dcsync_newterm_subjectuser.toml

* Update credential_access_dcsync_replication_rights.toml

(cherry picked from commit d7f4d7972e)
 2024-01-30 11:48:19 +00:00
Jonhnathan d121e74a3e [Rule Tuning] Windows DR Tuning - 15 (#3377) 
* [Rule Tuning] Windows DR Tuning - 15

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update privilege_escalation_windows_service_via_unusual_client.toml

* Update defense_evasion_msbuild_making_network_connections.toml

(cherry picked from commit 92804343bc)
 2024-01-23 19:53:28 +00:00
Jonhnathan 9f18adfdb1 [Rule Tuning] Direct Outbound SMB Connection (#3400) 
* [Rule Tuning] Direct Outbound SMB Connection

* Update lateral_movement_direct_outbound_smb_connection.toml

(cherry picked from commit e33389b2ef)
 2024-01-23 18:38:50 +00:00
Jonhnathan 4c9a6b1dcc [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux (#3398) 
* [Rule Tuning] Host Files System Changes via Windows Subsystem for Linux

* Update defense_evasion_wsl_filesystem.toml

(cherry picked from commit e0bdb59deb)
 2024-01-22 21:52:44 +00:00
Terrance DeJesus 869988c20f [Rule Tuning] Update timestamp_override Unit Tests and Fix Rules Missing Field (#3368) 
* updated timestamp override unit test; fixed rules missing this field

* fixed flake error

* simplified and consolidated logic

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* Update tests/test_all_rules.py

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

* added comments

* updated logic; added comments; removed unused variables

* removed custom python script

* updated dates

* removed deprecated rule change

* updated dates

---------

Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>

Removed changes from:
- rules/integrations/beaconing/command_and_control_beaconing.toml
- rules/integrations/beaconing/command_and_control_beaconing_high_confidence.toml

(selectively cherry picked from commit 1c10c37468)
 2024-01-17 19:19:45 +00:00
Jonhnathan 11c929f019 [Rule Tuning] Windows DR Tuning - 12 (#3364) 
(cherry picked from commit f6ba12a700)
 2024-01-17 16:24:02 +00:00
sbousseaden c6725b5642 [Tuning] Add logs-system. index where applicable (#3390) 
* Update discovery_adfind_command_activity.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_tokenmanip_sedebugpriv_enabled.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update initial_access_suspicious_ms_office_child_process.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update initial_access_suspicious_ms_exchange_process.toml

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update execution_from_unusual_path_cmdline.toml

* Update execution_enumeration_via_wmiprvse.toml

* Update execution_command_shell_started_by_svchost.toml

* Update discovery_enumerating_domain_trusts_via_nltest.toml

* Update discovery_enumerating_domain_trusts_via_dsquery.toml

* Update defense_evasion_workfolders_control_execution.toml

* Update defense_evasion_iis_httplogging_disabled.toml

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* Update defense_evasion_disabling_windows_logs.toml

* Update credential_access_wireless_creds_dumping.toml

* Update credential_access_iis_apppoolsa_pwd_appcmd.toml

* Update credential_access_iis_connectionstrings_dumping.toml

* Update command_and_control_remote_file_copy_desktopimgdownldr.toml

* Update command_and_control_remote_file_copy_mpcmdrun.toml

* Update command_and_control_dns_tunneling_nslookup.toml

* Update persistence_webshell_detection.toml

* Update persistence_via_xp_cmdshell_mssql_stored_procedure.toml

* Update privilege_escalation_named_pipe_impersonation.toml

* Update command_and_control_certreq_postdata.toml

* Update defense_evasion_suspicious_certutil_commands.toml

* Update defense_evasion_disable_windows_firewall_rules_with_netsh.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update persistence_system_shells_via_services.toml

* Update execution_suspicious_cmd_wmi.toml

* Update credential_access_copy_ntds_sam_volshadowcp_cmdline.toml

* Update impact_deleting_backup_catalogs_with_wbadmin.toml

* Update credential_access_dump_registry_hives.toml

* Update defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_code_signing_policy_modification_builtin_tools.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update defense_evasion_execution_control_panel_suspicious_args.toml

* Update execution_apt_solarwinds_backdoor_child_cmd_powershell.toml

* Update defense_evasion_wsl_kalilinux.toml

* Update discovery_adfind_command_activity.toml

* Update initial_access_suspicious_ms_outlook_child_process.toml

* Update privilege_escalation_uac_bypass_diskcleanup_hijack.toml

* Update privilege_escalation_uac_bypass_event_viewer.toml

* Update privilege_escalation_uac_bypass_mock_windir.toml

* Update privilege_escalation_unusual_parentchild_relationship.toml

* Update privilege_escalation_unusual_printspooler_childprocess.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_unusual_dir_ads.toml

* Update defense_evasion_wsl_child_process.toml

* Update defense_evasion_wsl_bash_exec.toml

* Update defense_evasion_wsl_enabled_via_dism.toml

* Update discovery_admin_recon.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update lateral_movement_alternate_creds_pth.toml

* Update persistence_via_windows_management_instrumentation_event_subscription.toml

* Update persistence_via_telemetrycontroller_scheduledtask_hijack.toml

* Update persistence_via_application_shimming.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_execution_lolbas_wuauclt.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update defense_evasion_delete_volume_usn_journal_with_fsutil.toml

* Update rules/windows/defense_evasion_execution_msbuild_started_by_script.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update impact_volume_shadow_copy_deletion_or_resized_via_vssadmin.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update discovery_adfind_command_activity.toml

* Update defense_evasion_execution_msbuild_started_unusal_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

* Update execution_command_shell_started_by_svchost.toml

---------

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit 27262a585b)
 2024-01-17 13:54:51 +00:00
Jonhnathan 91ee5caf94 [Rule Tuning] Windows DR Tuning - 13 (#3369) 
(cherry picked from commit 71cec2a0e1)
 2024-01-17 12:58:32 +00:00
Jonhnathan b1c8876c53 [Rule Tuning] Windows DR Tuning - 10 (#3355) 
* [Rule Tuning] Windows DR Tuning - 10

* Update discovery_whoami_command_activity.toml

(cherry picked from commit c6ab294627)
 2024-01-17 12:49:05 +00:00
Jonhnathan 753578f336 [Rule Tuning] Windows DR Tuning - 14 (#3376) 
* [Rule Tuning] Windows DR Tuning - 14

* Update persistence_suspicious_com_hijack_registry.toml

* Update rules/windows/persistence_webshell_detection.toml

(cherry picked from commit 0469785793)
 2024-01-15 14:20:48 +00:00
Jonhnathan 336dba7d05 [Rule Tuning] Windows DR Tuning - 11 (#3359) 
* [Rule Tuning] Windows DR Tuning - 10

* Update execution_posh_hacktool_functions.toml

* Update impact_backup_file_deletion.toml

(cherry picked from commit caf38fd1b1)
 2024-01-15 14:00:57 +00:00
Jonhnathan d435ab7c44 [Rule Tuning] Windows DR Tuning - 9 (#3354) 
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 724e34ba95)
 2024-01-07 12:56:05 +00:00
Jonhnathan bcef5d74e1 [Rule Tuning] Windows DR Tuning - 8 (#3353) 
* [Rule Tuning] Windows DR Tuning - 8

* Update rules/windows/defense_evasion_unusual_system_vp_child_program.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/defense_evasion_via_filter_manager.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update rules/windows/defense_evasion_via_filter_manager.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

(cherry picked from commit 7b1215ccf1)
 2024-01-03 15:05:15 +00:00
Samirbous 3f8c0295d0 [New] Potential Evasion via Windows Filtering Platform (#3356) 
* Create defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update defense_evasion_windows_filtering_platform.toml

* Update rules/windows/defense_evasion_windows_filtering_platform.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* Update defense_evasion_windows_filtering_platform.toml

---------

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

(cherry picked from commit b7e21d8c29)
 2024-01-03 12:54:56 +00:00
Samirbous f3377e1460 [Deprecate] Potential Process Herpaderping Attempt (#3336) 
* Update and rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* Rename defense_evasion_potential_processherpaderping.toml to defense_evasion_potential_processherpaderping.toml

* ++

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit 341499a2bc)
 2023-12-19 21:04:33 +00:00
Jonhnathan 1f2ae31f67 [Security Content] Add Windows Investigation Guides (#3257) 
* [Security Content] Add Windows Investigation Guides

* Apply suggestions from code review

Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Joe Peeples <joe.peeples@elastic.co>

(cherry picked from commit 578936d37a)
 2023-12-19 15:43:12 +00:00
Jonhnathan a635222776 [Rule Tuning] Windows DR Tuning - 7 (#3344) 
* [Rule Tuning] Windows Rule Tuning -1

* Update command_and_control_ingress_transfer_bits.toml

(cherry picked from commit 2f468ddcba)
 2023-12-18 17:32:31 +00:00
Samirbous 9f513da1c0 [Tuning] Suspicious Script Object Execution (#3339) 
* Update defense_evasion_suspicious_scrobj_load.toml

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 4b183be124)
 2023-12-14 23:54:28 +00:00
Samirbous 5b8e686583 [Tuning] Remote Scheduled Task Creation (#3337) 
* Update non-ecs-schema.json
* add timestamp override

---------

Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit 07b952b7bc)
 2023-12-14 23:44:37 +00:00
Justin Ibarra 5d5bb7ed16 [Rule Tuning] Optimize query for Installation of Custom Shim Databases (#3331) 
* [Rule Tuning] Optimize query for Installation of Custom Shim Databases
* add timestamp override
* update query exceptions
* tighten endpoint index pattern to registry

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit aff7f37b92)
 2023-12-14 22:08:52 +00:00
Justin Ibarra 35589e47a7 [Rule Tuning] Optimize query for Direct Outbound SMB Connection (#3329) 
* [Rule Tuning] Optimize query for Direct Outbound SMB Connection

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

(cherry picked from commit a7b9a61942)
 2023-12-14 18:26:27 +00:00
Samirbous c4b6e810d1 [Tuning] Suspicious Managed Code Hosting Process (#3338) 
* Update defense_evasion_suspicious_managedcode_host_process.toml

* Update defense_evasion_suspicious_managedcode_host_process.toml

(cherry picked from commit 8b2aed4fc0)
 2023-12-14 17:56:43 +00:00
Samirbous 077041fef5 [Tuning] Multiple Logon Failure Followed by Logon Success (#3340) 
* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

* Update credential_access_bruteforce_multiple_logon_failure_followed_by_success.toml

(cherry picked from commit 727c23e3d2)
 2023-12-14 17:45:47 +00:00
Samirbous 6dad9359c4 [Rule Tuning] Account Password Reset Remotely (#3335) 
* [Rule Tuning] Account Password Reset Remotely

- reduced maxspan from 5 to 1m (automated pwd reset)
- excluded most common noisy winlog.event_data.TargetUserName patterns (service account dedicated for pwd reset en masse)

* Update persistence_remote_password_reset.toml

(cherry picked from commit 7a4f1224dc)
 2023-12-14 17:27:05 +00:00
Jonhnathan c55eb80d2a [Rule Tuning] Windows DR Tuning - 6 (#3246) 
* [Rule Tuning] Windows DR Tuning - 6

* Update defense_evasion_masquerading_as_elastic_endpoint_process.toml

* Update defense_evasion_network_connection_from_windows_binary.toml

---------

Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com>

(cherry picked from commit 6f4c323929)
 2023-12-12 14:42:50 +00:00
Jonhnathan 87f8498b68 [Security Content] Introduce Investigate Plugin in Investigation Guides (#3080) 
* [Security Content] Introduce Investigate Plugin in Investigation Guides
* Add compatibility note
* Update Transform format
* update transform unit tests for investigate
* updated docs with transform

---------

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com>

(cherry picked from commit aeb1f91320)
 2023-12-08 18:59:26 +00:00
Jonhnathan be07759888 [Security Content] Add Windows Investigation Guides (#3095) 
* [Security Content] Add Windows Investigation Guides

* Update defense_evasion_rundll32_no_arguments.toml

* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml

* Update privilege_escalation_posh_token_impersonation.toml

* Apply suggestions from code review

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>

* Update execution_ms_office_written_file.toml

* Update persistence_suspicious_image_load_scheduled_task_ms_office.toml

* Update rules/windows/defense_evasion_rundll32_no_arguments.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_enabled_via_dism.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_registry_modification.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/defense_evasion_wsl_registry_modification.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/execution_ms_office_written_file.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update rules/windows/persistence_via_wmi_stdregprov_run_services.toml

Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

* Update privilege_escalation_posh_token_impersonation.toml

---------

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com>

(cherry picked from commit eb7c5f6717)
 2023-12-08 14:35:53 +00:00