e8c39d19a7
[Rule Tuning] Missing MITRE ATT&CK Mappings ( #2073 )
...
* initial commit with eggshell mitre mapping added
* adding updated rules
* [Rule Tuning] MITRE for GCP rules
I've added Mitre references for the 4 GCP rules missing. Changed 3 of the rules from "Impact" to "Defense Evasion" based on the technique used and it's matched tactic.
* [Rule Tuning] Endgame Rule name updates for Mitre
Updated Endgame rule names for those with Mitre tactics to match the tactics.
* Update rules/integrations/aws/persistence_redshift_instance_creation.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* Update rules/integrations/aws/exfiltration_rds_snapshot_restored.toml
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* adding 10 updated rules for google_workspace, ml and o365
* adding 22 rule updates for mitre att&ck mappings
* adding 24 rule updates related mainly to ML rules
* adding 3 rules related to detection via ML
* adding adjustments
* adding adjustments with solutions to recent pytest errors
* removed tabs from tags
* adjusted mappings and added techniques
* adjusted endgame rule mappings per review
* adjusted names to match different tactics
* added execution and defense evasion tag
* adjustments to address errors from merging with main
* added newlines to rules missing them at the end of the file
Co-authored-by: imays11 <59296946+imays11@users.noreply.github.com >
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-07-22 14:30:34 -04:00
1276f98a70
[Rule Tuning] Elastic Agent Service Terminated ( #2112 )
2022-07-19 13:33:52 -03:00
a52751494e
2058 add setup field to metadata ( #2061 )
...
* Convert config header to setup in note field
* Parse note field into separate setup and note field with marko gfm
* only validate and parse note on elastic authored rules and add CLI description for new DR_BYPASS_NOTE_VALIDATION_AND_PARSE environment variable
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
2022-07-18 15:41:32 -04:00
7581234fe8
[Rule Tuning] Potential Reverse Shell Activity via Terminal ( #2077 )
...
* adjusted query rule to exclude noisy FPs
* adjusted event.action to be event.type
2022-07-12 22:33:38 -04:00
cdc5c7244a
[New Rule] Elastic Agent Stopped ( #1991 )
...
* new rule for detecting if elastic agent has been stopped
* adjusted query based on feedback; added powershell, taskkill, pskill and processhacker
2022-05-25 13:16:21 -04:00
77966473d1
[Rule tuning] add support for osx, zsh, and expand tampering techniques ( #1974 )
...
* add support for osx, zsh, and expand tampering techniques
* migrate to cross-platform and add macOS tag
2022-05-20 11:10:56 -04:00
c031bb501d
[Rule tuning] SSH Authorized Keys File Modification ( #1955 )
2022-05-09 07:50:27 -08:00
6bdfddac8e
Expand timestamp override tests ( #1907 )
...
* Expand timestamp_override tests
* removed timestamp_override from eql sequence rules
* add config entry for eql rules with beats index and t_o
* add timestamp_override to missing fields
2022-04-01 15:27:08 -08:00
93edc44284
[Rule Tuning] Timeline Templates For Windows and Linux ( #1892 )
...
* added comprehensive file timeline to Hosts File Modified rule
* added Comprehensive Process Timeline to Interactive Terminal Spawned via Python rule
* updated rules to have generic instead of comprehensive
* updated several rules with timeline ID and timeline title values
* changed updated_date for threat intel fleet integrations
* added missing templates to timeline_templates dict in definitions.py
* added comprehensive timeline templates to alerts after definitions.py was updated
* updated rules with comprehensive timeline templates and added min stack comments and versions
* removing timeline template changes which is tracked in #1904
* Update rules/linux/execution_python_tty_shell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Delete Pipfile
Removing pipfile
* Delete Pipfile.lock
deleting pipfile.lock
* Update rules/windows/execution_command_shell_started_by_svchost.toml
updating title
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-04-01 13:44:35 -04:00
1c50f35aed
[Security Content] Update rules based on docs review ( #1803 )
...
* Adds suggestions from security-docs
* Update rules/windows/lateral_movement_powershell_remoting_target.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2022-03-01 21:39:30 -03:00
dec4243db0
[Rule Tuning] Update rules based on docs review ( #1778 )
...
* Update rules based on docs review
* trivial change to trigger CLA
* undo changes from triggering build
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2022-02-16 07:42:06 -09:00
b1121da237
[Rule Tuning] Fix IM query ( #1767 )
...
* Fix IM quer
* Add update date
2022-02-10 09:30:13 -09:00
97835bc5c5
Move misplaced rule to proper folder ( #1756 )
...
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-02-04 11:35:29 -09:00
72c64de3f5
[Rule tuning] Update rules based on docs review ( #1663 )
...
* [Rule tuning] Update rule verbiage based on docs review
* fix typos
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
* revert TI rule changes since it was deprecated
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com >
2022-01-28 10:41:22 -09:00
87c7210aab
[Rule Tuning] Change default time query for rounding days ( #1713 )
...
* Change default time query for rounding days
* Udpate date
* Revert rule updated_data
* Restore threat_query
2022-01-28 10:34:14 -09:00
9c43151da4
[Deprecate Rule] Threat Intel Filebeat Module (v7.x) Indicator Match ( #1703 )
2022-01-25 16:46:49 -09:00
410d4e5929
[Rule Tuning] Suspicious JAR Child Process ( #1657 )
...
* [Rule Tuning] Suspicious JAR Child Process
Expand rule coverage by removing the process.args containing a jar file requirement which may help detect also exploitation attempt via command injection vulnerabilities on server apps running JAVA.
* Update rules/cross-platform/execution_suspicious_jar_child_process.toml
2021-12-10 16:04:35 -09:00
c619844b0d
[Rule Tuning] Support ECS 1.11 field for IM rule ( #1560 )
...
* Support ecs field for IM rule
* update time interval
* Change additional lookback to 5 minutes
* Add old rule
* Add newline
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Remove im legacy rule
* Udpdate name and description
* Remove min_stack_comment
* Keep 2 IM rule
* add min_stack_comments to rule
* Update rules/cross-platform/threat_intel_indicator_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* adds new rules
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ece Özalp <ozale272@newschool.edu >
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co >
2021-11-30 12:25:42 -06:00
aa219710a1
Fix Windows path causing emoji to be rendered in Kibana ( #1585 )
...
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.
Surrounding the path in backticks fixes it.
2021-11-03 11:01:25 -05:00
f47b0f61cc
Change interval and lookback time for IM rule ( #1596 )
2021-11-01 09:27:38 +01:00
ff16832003
[Rule Tuning] Hosts File Modified - add process check for linux ( #1593 )
...
* [Rule Tuning] Hosts File Modified - add process check for linux
* add echo and sed to process names in query
2021-10-28 22:56:34 -05:00
c8cf88cd62
Refresh ECS (1.12.1) and beats (7.15.1) schemas ( #1584 )
...
* Refresh ECS (1.12.1) and beats (7.15.1) schemas
* update ecs to 1.10 for 7.14 stack validation
* add note with reference url
2021-10-28 11:24:28 -05:00
5bdf70e72c
Add min_stack_comments to metadata schema ( #1573 )
...
* Add min_stack_comments to metadata schema
2021-10-19 20:52:53 -08:00
76a0224f60
[New Rule] Virtual Machine Fingerprinting via Grep ( #1510 )
...
* [New Rule] Virtual Machine Fingerprinting via Grep
* format
* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added reference url
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-30 20:40:05 +02:00
10a977914b
Add default timestamp condition for threat_query ( #1486 )
2021-09-20 11:19:52 -08:00
9ff3873ee7
[rule-tuning] Adding more context with triage/investigation ( #1481 )
...
* [rule-tuning] Adding more context with triage/investigation
* Adding mimikatz rule
* Fixed updated date on mimikatz rule
* Adding Defender update
* Adding scheduled task
* Adding AdFind
* Adding rare process
* Adding cloudtrail country
* Adding cloudtrail spike
* Adding threat intel
* Fixed minor spelling/syntax
* Fixed minor spelling/syntax p2
* Update rules/cross-platform/threat_intel_module_match.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/ml/ml_rare_process_by_host_windows.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_mimikatz_powershell_module.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Removed MITRE link, added Microsoft
* Update ml_cloudtrail_error_message_spike.toml
* Update ml_cloudtrail_rare_method_by_country.toml
* Update ml_rare_process_by_host_windows.toml
* Update credential_access_mimikatz_powershell_module.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update discovery_adfind_command_activity.toml
* Update lateral_movement_dns_server_overflow.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
* Update defense_evasion_defender_exclusion_via_powershell.toml
* Update lateral_movement_scheduled_task_target.toml
* Update persistence_evasion_registry_startup_shell_folder_modified.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-09-15 20:07:21 -05:00
d31ea6253e
Refresh ATT&CK mappings to v9.0 ( #1401 )
...
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes
2021-08-04 14:16:10 -08:00
163d9e3864
Update cardinality field in schema for threshold rules ( #1349 )
...
* Make cardinality array in schema for threshold rules
* update master, 7.12, 7.13, and 7.14 schemas with cardinality fix
* fix 7.12 downgrade to handle cardinality as an array
* Add two new rules to detect agent spoofing
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-07-21 08:32:54 -08:00
6ef5c53b0c
Cleanup note field in rules ( #1194 )
...
* standardize usage of note field
2021-05-10 13:40:56 -08:00
82ec6ac1ee
Convert windows rules from KQL to EQL ( #1114 )
2021-04-30 11:21:12 -08:00
92eaa5b18a
[New Rule] Threat intel indicator match rule ( #1133 )
2021-04-26 07:07:04 -05:00
ff45539369
[Deprecation] Deprecate inherently noisy rules based on testing ( #1122 )
...
* Demote maturity
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2021-04-21 15:10:06 -04:00
00923dcde1
[Rule Tuning] Setuid / Setgid Bit Set via chmod ( #1032 )
...
* [Rule Tuning] Setuid / Setgid Bit Set via chmod
* update date
* Update rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-04-14 16:41:37 +02:00
0ba469dbe4
[Rule Tuning] Modification of Standard Authentication Module or Confi… ( #1056 )
...
* [Rule Tuning] Modification of Standard Authentication Module or Configuration
* update date
2021-04-14 00:36:38 +02:00
3e1169317f
[Rule Tuning] Timestomping using Touch Command ( #1006 )
...
* [Rule Tuning] Timestomping using Touch Command
* removed process_started from event.type
* update date
* Update defense_evasion_timestomp_touch.toml
* lint and resolve conflict
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-03-19 10:26:40 +01:00
04ea1a72c7
[Rule Tuning] Security Software Discovery via Grep ( #994 )
...
* [Rule Tuning] Security Software Discovery via Grep
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:46:26 +01:00
0b65678d8c
[Rule tuning] Correct tags with associated threat mappings ( #1003 )
2021-03-08 14:12:29 -09:00
0e0b2ea1a4
Update schema for threshold rule type for 7.12 ( #976 )
...
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
2021-03-05 14:35:50 -09:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
645a0cd67b
[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules ( #945 )
...
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
2021-02-17 19:49:58 -09:00
a77bd6178f
Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12
...
# Conflicts:
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
2021-02-17 14:11:50 -09:00
90a9320f93
[Rule Tuning] Remove timestamp_override for endgame-* promotion rules ( #951 )
...
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
2021-02-17 13:48:57 -09:00
6ce418877f
Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12
...
# Conflicts:
# etc/version.lock.json
# rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
# rules/cross-platform/impact_hosts_file_modified.toml
# rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
# rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
# rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
# rules/linux/defense_evasion_timestomp_touch.toml
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
# rules/macos/credential_access_credentials_keychains.toml
# rules/macos/credential_access_promt_for_pwd_via_osascript.toml
# rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
# rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
# rules/promotions/external_alerts.toml
# rules/windows/collection_email_powershell_exchange_mailbox.toml
# rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
# rules/windows/collection_winrar_encryption.toml
# rules/windows/command_and_control_common_webservices.toml
# rules/windows/command_and_control_encrypted_channel_freesslcert.toml
# rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
# rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
# rules/windows/command_and_control_teamviewer_remote_file_copy.toml
# rules/windows/credential_access_cmdline_dump_tool.toml
# rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
# rules/windows/credential_access_credential_dumping_msbuild.toml
# rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
# rules/windows/credential_access_dump_registry_hives.toml
# rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
# rules/windows/credential_access_iis_connectionstrings_dumping.toml
# rules/windows/credential_access_kerberoasting_unusual_process.toml
# rules/windows/credential_access_lsass_memdump_file_created.toml
# rules/windows/credential_access_mimikatz_memssp_default_logs.toml
# rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
# rules/windows/defense_evasion_clearing_windows_event_logs.toml
# rules/windows/defense_evasion_code_injection_conhost.toml
# rules/windows/defense_evasion_cve_2020_0601.toml
# rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
# rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
# rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
# rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
# rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
# rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
# rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
# rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
# rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
# rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
# rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
# rules/windows/defense_evasion_hide_encoded_executable_registry.toml
# rules/windows/defense_evasion_iis_httplogging_disabled.toml
# rules/windows/defense_evasion_injection_msbuild.toml
# rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
# rules/windows/defense_evasion_masquerading_renamed_autoit.toml
# rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
# rules/windows/defense_evasion_masquerading_trusted_directory.toml
# rules/windows/defense_evasion_modification_of_boot_config.toml
# rules/windows/defense_evasion_port_forwarding_added_registry.toml
# rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
# rules/windows/defense_evasion_sdelete_like_filename_rename.toml
# rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
# rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
# rules/windows/defense_evasion_suspicious_zoom_child_process.toml
# rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
# rules/windows/defense_evasion_unusual_dir_ads.toml
# rules/windows/defense_evasion_unusual_system_vp_child_program.toml
# rules/windows/defense_evasion_via_filter_manager.toml
# rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
# rules/windows/discovery_adfind_command_activity.toml
# rules/windows/discovery_admin_recon.toml
# rules/windows/discovery_file_dir_discovery.toml
# rules/windows/discovery_net_command_system_account.toml
# rules/windows/discovery_net_view.toml
# rules/windows/discovery_peripheral_device.toml
# rules/windows/discovery_process_discovery_via_tasklist_command.toml
# rules/windows/discovery_query_registry_via_reg.toml
# rules/windows/discovery_remote_system_discovery_commands_windows.toml
# rules/windows/discovery_security_software_wmic.toml
# rules/windows/discovery_whoami_command_activity.toml
# rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
# rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
# rules/windows/execution_command_shell_started_by_powershell.toml
# rules/windows/execution_command_shell_started_by_svchost.toml
# rules/windows/execution_command_shell_started_by_unusual_process.toml
# rules/windows/execution_command_shell_via_rundll32.toml
# rules/windows/execution_from_unusual_directory.toml
# rules/windows/execution_from_unusual_path_cmdline.toml
# rules/windows/execution_shared_modules_local_sxs_dll.toml
# rules/windows/execution_suspicious_cmd_wmi.toml
# rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
# rules/windows/execution_suspicious_pdf_reader.toml
# rules/windows/execution_suspicious_powershell_imgload.toml
# rules/windows/execution_suspicious_psexesvc.toml
# rules/windows/execution_suspicious_short_program_name.toml
# rules/windows/execution_via_compiled_html_file.toml
# rules/windows/execution_via_hidden_shell_conhost.toml
# rules/windows/execution_via_net_com_assemblies.toml
# rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
# rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml
# rules/windows/initial_access_script_executing_powershell.toml
# rules/windows/initial_access_suspicious_ms_office_child_process.toml
# rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
# rules/windows/initial_access_unusual_dns_service_children.toml
# rules/windows/initial_access_unusual_dns_service_file_writes.toml
# rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
# rules/windows/lateral_movement_execution_from_tsclient_mup.toml
# rules/windows/lateral_movement_local_service_commands.toml
# rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
# rules/windows/lateral_movement_rdp_enabled_registry.toml
# rules/windows/lateral_movement_rdp_tunnel_plink.toml
# rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
# rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
# rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
# rules/windows/persistence_adobe_hijack_persistence.toml
# rules/windows/persistence_appcertdlls_registry.toml
# rules/windows/persistence_appinitdlls_registry.toml
# rules/windows/persistence_evasion_registry_ifeo_injection.toml
# rules/windows/persistence_gpo_schtask_service_creation.toml
# rules/windows/persistence_local_scheduled_task_commands.toml
# rules/windows/persistence_ms_office_addins_file.toml
# rules/windows/persistence_ms_outlook_vba_template.toml
# rules/windows/persistence_priv_escalation_via_accessibility_features.toml
# rules/windows/persistence_registry_uncommon.toml
# rules/windows/persistence_run_key_and_startup_broad.toml
# rules/windows/persistence_services_registry.toml
# rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
# rules/windows/persistence_startup_folder_scripts.toml
# rules/windows/persistence_suspicious_com_hijack_registry.toml
# rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
# rules/windows/persistence_suspicious_scheduled_task_runtime.toml
# rules/windows/persistence_suspicious_service_created_registry.toml
# rules/windows/persistence_system_shells_via_services.toml
# rules/windows/persistence_user_account_creation.toml
# rules/windows/persistence_via_application_shimming.toml
# rules/windows/persistence_via_hidden_run_key_valuename.toml
# rules/windows/persistence_via_lsa_security_support_provider_registry.toml
# rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
# rules/windows/persistence_via_update_orchestrator_service_hijack.toml
# rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
# rules/windows/privilege_escalation_named_pipe_impersonation.toml
# rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
# rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
# rules/windows/privilege_escalation_rogue_windir_environment_var.toml
# rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
# rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
# rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
# rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
# rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
# rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
# rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
# rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
# rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
# rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
2021-02-17 12:18:06 -09:00
61deed3fd2
[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules ( #948 )
...
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
2021-02-16 10:52:48 -09:00
4e6ff388fc
[Rule Tuning] Feedback from 7.12 Kibana PR ( #942 )
2021-02-11 13:32:58 -09:00
497ddcbb58
[New Rule] Suspicious Python Script Execution via the CommandLine ( #852 )
...
* [New Rule] Suspicious Python Script Execution via the CommandLine
* kql optimz
* Update rules/cross-platform/execution_python_script_in_cmdline.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/execution_python_script_in_cmdline.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* added subtechnique
* Update rules/cross-platform/execution_python_script_in_cmdline.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* converted to eql
* Update rules/cross-platform/execution_python_script_in_cmdline.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* relinted
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-10 18:37:03 +01:00
f13e9ce0d0
[New Rule] Shell Profile Modification ( #878 )
...
* [New Rule] Shell Profile Modification
* added auditbeat index
* Update persistence_shell_profile_modification.toml
* excluding noisy processes
* Update rules/cross-platform/persistence_shell_profile_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/persistence_shell_profile_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/persistence_shell_profile_modification.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* Update rules/cross-platform/persistence_shell_profile_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added note short desc
* Update persistence_shell_profile_modification.toml
* added FPs note
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-10 17:44:15 +01:00
7fc5ba1646
[New Rule] Persistence via Cron Tasks ( #867 )
...
* [New Rule] Persistence via Cron Tasks
* Update persistence_cron_jobs_creation_and_runtime.toml
* Update persistence_cron_jobs_creation_and_runtime.toml
* excluded noisy procs and root user
* moved to cross-platform
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* excluding root user
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-10 10:28:22 +01:00
ddddaf37dc
[New Rule] Sudo Heap-based Buffer Overflow Vulnerability Attempt (CVE-2021-3156) ( #933 )
...
* initial commit
* adjusted title
* Update rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* updates
* optimized
* added ""'s
* typo around "-s"
* added sudo reference
* changed to threshold
* Update rules/cross-platform/privilege_escalation_sudo_buffer_overflow.toml
* re-lint
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-02-09 15:02:04 -06:00
769ced1001
[New Rule] Privilege Elevation via Sudoers File Modification ( #917 )
...
* [New Rule] Privilege Elevation via Sudoers File Modification
* Update privilege_escalation_echo_nopasswd_sudoers.toml
* group args
* Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/privilege_escalation_echo_nopasswd_sudoers.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* lint rule
* added subtechnique
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-02-09 21:58:31 +01:00
Terrance DeJesus