security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
342 Commits 1 Branch 0 Tags
525512fdaef5f06fe767bb1c46dfe070bc31d1d8
Commit Graph

109 Commits

Author SHA1 Message Date
Samirbous 525512fdae [New Rule] Remote File Copy to a Hidden Share (#474) 
* [New Rule] Remote File Copy to a Hidden Share

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:07:18 +01:00
Samirbous 46d6bc69a2 [New Rule] UAC Bypass via Mocking Windir (#411) 
* [New Rule] UAC Bypass via Mocking Windir

* added tags

* changed rule name

* adjusted args for performance

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:55:36 +01:00
Samirbous 3040f6103f [New Rule] Suspicious PrintSpooler Point and Print DLL (#641) 
* [New Rule] Suspicious PrintSpooler Point and Print DLL

* added example of execution data to the ref

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted plus extra ref URL

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:07:26 +01:00
Samirbous 3fda16db71 [Rule Tuning] Potential Modification of Accessibility Binaries (#546) 
* [Rule Tuning] Potential Modification of Accessibility Binaries

* replaced wildcard by in

* indentation more consistent for readability

* eql syntax

* ecs_version
 2020-12-08 12:42:34 +01:00
Samirbous d59b2cb72b [New Rule] Persistence with Startup Folder by Unsigned Process (#651) 
* [New Rule] Persistence with Startup Folder by Unsigned Process

* new line

* eql syntax

* ecs_version

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* dropped winlogbeat index

pe signature check details missing

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:39:44 +01:00
Samirbous 6dc78c4703 [New Rule] Remote File Download via Scripting (#647) 
* [New Rule] Remote File Download via Scripting

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:37:51 +01:00
Samirbous bb93988926 [Rule Tuning] Unusual Network Connection via RunDLL32 (#693) 
* [Rule Tuning] Unusual Network Connection via RunDLL32

* excluding dns traffic

* Update rules/windows/execution_unusual_network_connection_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:01:17 +01:00
Samirbous 3f8a7573f7 [New Rule] Remotely Started Services (#542) 
* [New Rule] Remotely Started Services

* added a common FP msiexec

* Update lateral_movement_remote_services.toml

* eql syntax

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update lateral_movement_remote_services.toml

* port numb

* ecs_version

* added RPC to alert name

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:31:03 +01:00
Samirbous 0f17ad6839 [New Rule] Incoming Execution with WinRM Remote Shell (#616) 
* [New Rule] Incoming Execution with WinRM Remote Shell

* MITRE TID Mapping

removed also unnecessary sequence events

* Update lateral_movement_incoming_winrm_shell_execution.toml

* eql syntax

* ecs_version

* excluding localhost

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:28:37 +01:00
Samirbous b477255abe [New Rule] Potential DNS Tunneling with Nslookup (#522) 
* [New Rule] Potential DNS Tunneling with Nslookup

* adjusted tags

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* ecs_version

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:16:17 +01:00
Samirbous 6c37d5c6b4 [New Rule] Potential ProcessHerpaderping Detected (#418) 
* [New Rule] Suspicious Execution via File Overwrite

* Update defense_evasion_overwrite_followed_by_execution.toml

* Update defense_evasion_overwrite_followed_by_execution.toml

* removed timeline_id

* fixed logic and also added references URL

* tuned logic to exclude potential FPs

not an actual FP, but only observed executable file overwrite by default on Windows is related to SoftwareDistribution, this does not match the sequence (Process Execution followed by Same Process File Overwrite) but added it to exclusion just in case.

* adjusted a bit desc and name

* changed rule file name

* adjusted executable.path for performance

avoiding leading wildcard, users can customize rule if they have different drive letters

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* lint

* ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* deleted ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* changed rule name as per ross sugges

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:08:12 +01:00
Samirbous af85c27142 [New Rule] Peripheral Device Discovery (#446) 
* [New Rule] Peripheral Device Discovery

* removed timeline_id

* adjusted cmdline

* adjusted args for better performance

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:55:19 +01:00
Samirbous 9460618129 [New Rule ] Incoming DCOM Lateral Movement with MSHTA (#459) 
* [New Rule ] Remote Execution via DCOM - MSHTA

* corrected tactic

* removed timeline_id

* added host.id and tightened the netcon clause

* changed rule description and name

* removed parent process names

as condition its optional since process.args is explicit.

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* localhost filtering

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:49:54 +01:00
Samirbous 181bbcb8c9 [New Rule] Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindow (#486) 
* [New Rule] Remote Execution via DCOM - ShellBrowserWindow or ShellWindows

* adjusted rule description and name

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* filtering localhost

* Update lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

* eql syntax

* ecs_version

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted and del ecs_vers

* re-linted

* deleted ecs_version

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:37:31 +01:00
Samirbous 5c1229cc63 [New Rule] Suspicious Service ImagePath Created (#603) 
* [New Rule] Suspicious Service ImagePath Created

* fixed rule name

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed technique name

* Update persistence_suspicious_service_created_registry.toml

* new MITRE mapping not yet supported

* eql syntax

* ecs_version

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:14:54 +01:00
Samirbous 7775515b55 [New Rule] Privilege Escalation via Named Pipe Impersonation (#605) 
* [New Rule] Privilege Escalation via Named Pipe Impersonation

* added a reference url

* fixed PS OFN

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:05:30 +01:00
Samirbous c7d7bd7fdd [New Rule] Suspicious PowerShell Engine ImageLoad (#559) 
* [New Rule] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 16:48:01 +01:00
Samirbous 0eacf484a0 [New Rule] Scheduled Task Created by a Windows Script (#649) 
* [New Rule] Scheduled Task Created via Windows Scripts

* added powershell

* Update persistence_local_scheduled_task_scripting.toml

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* increased maxspan as per Dan sugg

* eql syntax

* eql syntax

* ecs_version

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 23:10:51 +01:00
Samirbous 41dd58b151 [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack (#655) 
* [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack

* ecs_version
 2020-12-03 22:59:46 +01:00
Samirbous 11041e0012 [New Rule] UAC Bypass via privileged IFileOperation (#416) 
* [New Rule] Bypass UAC via privileged IFileOp

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* adjusted file.path for performance

avoiding leading wildcard, rule can be customized by users if default drive letter is different

* new EQL syntax

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* ecs_version

* removed new lines

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-03 20:43:57 +01:00
Samirbous 54b926a7bf [Rule Tuning] Process Potentially Masquerading as WerFault (#653) 
* [Rule Tuning] Process Potentially Masquerading as WerFault

* Update defense_evasion_masquerading_werfault.toml

* converted from kql to eql sequence for more precision

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* relinted

* eql syntax

* ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 20:26:37 +01:00
Justin Ibarra 4b6ad77338 [Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667) 2020-12-03 01:00:24 -09:00
Samirbous 3ac232085b [New Rule] Remote Desktop Enabled in Windows Firewall (#368) 
* [New Rule] Inbound RDP Enabled

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* changed tags

* expanded args condition

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* adjusted process args

* renamed rule and added equivalent process args

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* fixing unit test errors

* original file name

* ecs_version

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-02 21:27:18 +01:00
Samirbous 30cded7a2d [New Rule] Lateral Movement via Startup Folder (#663) 
* [New Rule] Lateral Movement via Startup Folder

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:22:43 +01:00
Samirbous 3deff0eeb8 [New Rule] Remote Execution via File Shares (#455) 
* [New Rule] Remote Execution via File Shares

* removed timeline_id

* fixed tags

* added extension to reduce response time

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:20:13 +01:00
Samirbous e03f775789 [New Rule] Lateral Executable Transfer Over SMB (#517) 
* [New Rule] Lateral Executable Transfer Over SMB

* adjusted maxspan, address and extensions

* changed rule name

* Update rules/windows/lateral_movement_executable_tool_transfer_smb.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* eql syntax

* ecs_version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-02 21:03:31 +01:00
Samirbous e6645a8be9 [Rule Tuning] Clearing or Disabling Windows Event Logs (#393) 
* [Rule Tuning] Clearing or Disabling Windows Event Logs

* added tags

* Update defense_evasion_clearing_windows_event_logs.toml

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* updated the rule update date

* linted

* fixing unit test error

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-12-02 20:35:35 +01:00
Samirbous db2d17ccb2 [New Rule] Credential Acquisition via Registry Hive Dumping (#607) 
* [New Rule] Credential Acquisition via Registry Hive Dumping

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed MITRE technique details

* fixed TID

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update credential_access_dump_registry_hives.toml

* as per Justin suggestion case insensitivity is not issue 7.11

* Update credential_access_dump_registry_hives.toml

* new MITRE mapping errors

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_dump_registry_hives.toml

* added :

* changed process.args:(a, b) to process.args: a or process.args:b

while testing on 7.10 process.args : (a , b) generate an error

* adjusted query as per JLB and RW suggestion

* eql syntax

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 20:31:22 +01:00
Justin Ibarra 97ee8cc9ac Refresh beats and ecs schemas and default to use latest to validate (#570) 
* Refresh beats and ecs schemas and default to use latest to validate
* remove incorrect ecs_version from zoom rule
* remove stale ecs_version from rules
 2020-12-01 13:24:20 -09:00
Samirbous dc9c63d043 [New Rule] Unusual Svchost ChildProc - ChildLess Services (#370) 
* [New Rule] Unusual Svchost ChildProc - ChildLess Services

* changed tags

* changed rule filename

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* Update rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-01 20:30:03 +01:00
Samirbous 0fe12d2528 [New Rule] Suspicious Explorer Child Process (#430) 
* [New Rule] Suspicious Explorer Child Process

* Update execution_via_explorer_suspicious_child_parent_args.toml

* removed timeline_id

* fixed typo

* adjusted args for better performance

* Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_via_explorer_suspicious_child_parent_args.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* relinted

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-01 00:00:40 +01:00
Ross Wolf 710f4bda10 Add file.extension to SxS .local rule 2020-11-30 15:26:28 -07:00
Samirbous 2465a70dac [New Rule] Execution via local SxS Shared Module (#424) 
* [New Rule] Execution via local SxS Shared Module

* Update execution_shared_modules_local_sxs_dll.toml

* Update execution_shared_modules_local_sxs_dll.toml

* added tags

* added drive letter for less performance impact

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_shared_modules_local_sxs_dll.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-11-30 23:24:44 +01:00
Samirbous 7138b01001 [New Rule] Potential Command and Control via IEXPLORE (#645) 
* [New Rule] Potential Command and Control via IEXPLORE

* Update command_and_control_iexplore_via_com.toml

* Update command_and_control_iexplore_via_com.toml

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_iexplore_via_com.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-30 21:13:30 +01:00
Samirbous 14ef24e9dd [New Rule] Command shell activity started via rundll32 (#391) 
* [New Rule] Command shell activity started via rundll32

* added tag

* adjusted parent args for performance

avoid leading wildcard

* filtered a common FP

* Update execution_command_shell_via_rundll32.toml

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_command_shell_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-11-30 21:02:57 +01:00
Samirbous 52183d78a2 [New Rule] Persistence via Microsoft Outlook VBA (#611) 
* [New Rule] Persistence via Microsoft Outlook VBA

* added FPs note and deleted excluded outlook.exe

* Update rules/windows/persistence_ms_outlook_vba_template.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-30 20:57:36 +01:00
Samirbous ba0cc7a055 [New Rule] UAC Bypass via Elevated COM Interface - IEditionUpgradeManager (#422) 
* [New Rule] UAC Bypass via Elevated COM Interface - ClipUp

* linted

* Update privilege_escalation_uac_bypass_com_clipup.toml

* added tags

* changed rule name

* adjusted rule for more performance

* Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_clipup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-30 20:26:07 +01:00
Justin Ibarra d0ba03230a [Rule Tuning] Unusual File Modification by dns.exe (#472) 2020-11-30 08:22:27 -09:00
dstepanic17 625b0ec771 [New-Rule] Suspicious WMI Image Load from MS Office (#551) 
* image-load-wmi-ms-office

* Update rules/windows/execution_suspicious_image_load_wmi_ms_office.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Resolved linting after suggestion

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-20 08:34:02 -06:00
dstepanic17 517ee0dc03 image-load-sched-task-ms-office (#566) 2020-11-20 07:28:16 -06:00
Samirbous 1ebdcc8248 [New Rule] Suspicious RDP ActiveX Client Loaded (#588) 
* [New Rule] Suspicious RDP ActiveX Client Loaded

* added exec from mounted device and UNC

* removed unecessary exclusion

* Update rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-11-20 10:43:12 +01:00
Samirbous 9d2a74ea1b [New Rule] Connection to Commonly Abused Web Services (#476) 
* [New Rule] Connection to Commonly Abused Web Services

* Update command_and_control_common_webservices.toml

* Update rules/windows/command_and_control_common_webservices.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* added notabug.org as suggested by Daniel

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
 2020-11-18 23:38:09 +01:00
Samirbous 161ea402fe [New Rule] Kerberos Traffic from Unusual Process (#448) 
* [New Rule] Kerberos Traffic from Unusual Process

* removed timeline_id

* adjusted args for better perf

* added potential rare FPs

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/credential_access_kerberoasting_unusual_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-11-18 22:07:49 +01:00
Samirbous 3e7be55a24 [New Rule] UAC Bypass via Windows Firewall Snap-in Hijack (#376) 
* [New Rule] Bypass UAC via Windows Firewall Snap-in Hijack

* Delete workspace.xml

* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

* Update privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-18 20:36:59 +01:00
Samirbous 75ed0f8f92 [New Rule] UAC Bypass via ICMLuaUtil Elevated COM interface (#383) 
* [New Rule] Bypass UAC via ICMLuaUtil Elevated COM interface

* added tags

* Update privilege_escalation_uac_bypass_com_interface_icmluautil.toml

* adjusted args to avoid leading wildcard

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* replaced wildcard with In

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-11-18 20:34:10 +01:00
Samirbous 14270a5614 [New Rule] Persistence via MS Office Addins (#381) 
* [New Rule] Persistence via MS Office Addins

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* Update persistence_ms_office_addins_file.toml

* fixed extension and relaxed file.path

* updated references

* changed leading wildcard for perf

* Update rules/windows/persistence_ms_office_addins_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/persistence_ms_office_addins_file.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-18 20:27:01 +01:00
Samirbous 4547ee3750 [New Rule] Suspicious Execution - Short Program Name (#536) 
* [New Rule] Suspicious Execution - Short Program Name

* Update rules/windows/execution_suspicious_short_program_name.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:27:37 +01:00
Samirbous 4741f70fad [New Rule] Potential Remote Desktop Tunneling Detected (#374) 
* [New Rule] Remote Desktop Tunneling using SSH Plink Utility

* Update lateral_movement_rdp_tunnel_plink.toml

* Update lateral_movement_rdp_tunnel_plink.toml

* changed tags

* expanded condition to more than plink

there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R.

* Update lateral_movement_rdp_tunnel_plink.toml

* more args options

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:25:48 +01:00
Samirbous 14e36c2693 [New Rule] Security Software Discovery using WMIC (#387) 
* [New Rule] Security Software Discovery using WMIC

* added tags

* adjusted args for performance

avoiding leading wildcard in process args

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update discovery_security_software_wmic.toml

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/discovery_security_software_wmic.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:23:28 +01:00
Samirbous ba4b8bc3e3 [New Rule] UAC Bypass via Elevated COM IEinstall (#450) 
* [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer

* Linted

* Update privilege_escalation_uac_bypass_com_ieinstal.toml

* adjusted executable path for better performance

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-11-17 21:21:15 +01:00