56bc91cc70
Create google_workspace_admin_role_deletion.toml ( #561 )
2020-11-18 09:15:53 -07:00
10d4e5d8c9
[New Rule] Google Workspace Role Modified ( #556 )
...
* Create persistence_google_workspace_role_modified.toml
* fix tpyo 🙃
2020-11-18 09:13:44 -07:00
acf8102607
Create persistence_google_workspace_custom_admin_role_created.toml ( #555 )
2020-11-18 09:10:50 -07:00
72fee8d16f
Create persistence_google_workspace_admin_role_assigned_to_user.toml ( #554 )
2020-11-18 09:07:39 -07:00
78b8d5c761
new-rule-mfa-disabled-for-google-workspace-organization ( #553 )
2020-11-18 09:05:07 -07:00
6aca322cfd
[New Rule] Google Workspace Password Policy Modified ( #552 )
...
* new-rule-google-workspace-policy-modified
* lint rule
2020-11-18 09:02:59 -07:00
f11e9f8302
[New Rule] Administrator Role Assigned to Okta User ( #489 )
...
* Create persistence_administrator_role_assigned_to_okta_user.toml
* set maturity to production
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Reorder references to put the most relevant at the top
* tweak rule name
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-18 08:59:23 -07:00
eb487f9433
[New Rule] Timestomping using Touch Command ( #463 )
...
* [New Rule] Timestomping using Touch Command
* Update defense_evasion_timestomp_touch.toml
* added macOS tag
* Update rules/linux/defense_evasion_timestomp_touch.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 23:29:47 +01:00
abea5d0779
[New Rule] Prompt for Credentials with OSASCRIPT ( #540 )
2020-11-17 22:25:40 +01:00
4547ee3750
[New Rule] Suspicious Execution - Short Program Name ( #536 )
...
* [New Rule] Suspicious Execution - Short Program Name
* Update rules/windows/execution_suspicious_short_program_name.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 21:27:37 +01:00
4741f70fad
[New Rule] Potential Remote Desktop Tunneling Detected ( #374 )
...
* [New Rule] Remote Desktop Tunneling using SSH Plink Utility
* Update lateral_movement_rdp_tunnel_plink.toml
* Update lateral_movement_rdp_tunnel_plink.toml
* changed tags
* expanded condition to more than plink
there are other SSH utilities that can be used as Plink thus removed the process original filename condition and added mandatory switches such as -L -P and -R.
* Update lateral_movement_rdp_tunnel_plink.toml
* more args options
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 21:25:48 +01:00
14e36c2693
[New Rule] Security Software Discovery using WMIC ( #387 )
...
* [New Rule] Security Software Discovery using WMIC
* added tags
* adjusted args for performance
avoiding leading wildcard in process args
* Update discovery_security_software_wmic.toml
* Update discovery_security_software_wmic.toml
* Update discovery_security_software_wmic.toml
* Update rules/windows/discovery_security_software_wmic.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/discovery_security_software_wmic.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 21:23:28 +01:00
ba4b8bc3e3
[New Rule] UAC Bypass via Elevated COM IEinstall ( #450 )
...
* [New Rule] Bypass UAC via Elevated COM Internet Explorer Add-on Installer
* Linted
* Update privilege_escalation_uac_bypass_com_ieinstal.toml
* adjusted executable path for better performance
* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-11-17 21:21:15 +01:00
3af915ff49
[New Rule] Suspicious Cmd Execution via WMI ( #389 )
...
* [New Rule] Suspicious Cmd Execution via WMI
* Update lateral_movement_suspicious_cmd_wmi.toml
* Update lateral_movement_suspicious_cmd_wmi.toml
* expanded process args for more coverage
* Update rules/windows/lateral_movement_suspicious_cmd_wmi.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-11-17 21:19:30 +01:00
9d3395f9e3
Create okta_attempt_to_delete_okta_application.toml ( #497 )
2020-11-17 08:53:59 -07:00
58e54f40e3
Create okta_attempt_to_deactivate_okta_application.toml ( #496 )
2020-11-17 08:51:51 -07:00
768069a8bc
[New Rule] Attempt to Modify an Okta Application ( #495 )
...
* Create okta_attempt_to_modify_okta_application.toml
* add reference
2020-11-17 08:49:02 -07:00
88b8bca929
Create persistence_google_workspace_api_access_granted_via_domain_wide_delegation_of_authority.toml ( #530 )
2020-11-17 08:44:37 -07:00
f87f2a46f4
[Rule Tuning] Remove all rule timelines ( #466 )
2020-11-03 09:51:53 -09:00
da64bacac1
[Rule Tuning] Add timeline_title to rules with timeline IDs defined ( #452 )
2020-11-02 14:12:20 -09:00
9838d3d2f7
[Rule Tuning] Remove duplicate rules after EQL conversion ( #436 )
...
* [Rule Tuning] Remove duplicate rules after EQL conversion
* Update defense_evasion_rundll32_sequence.toml
* swap msxsl rules
2020-10-30 15:49:28 -04:00
a575cf9ff3
[Rule Tuning] Use cidrMatch for eql rules checking multiple IPs ( #431 )
2020-10-29 11:06:24 -08:00
fda1e7ef94
Bump zoom rule to production ( #427 )
2020-10-29 11:02:29 -08:00
0d3c35886c
Remove connection type from endpoint network rules ( #426 )
2020-10-28 12:35:34 -08:00
580db2c13e
Add timeline_id to detection rules ( #95 )
...
* Adds timeline_id to all network rules
- Uses the ID for the 'Generic Network Timeline' from Elastic
* Adds timeline_id to all endpoint rules
- Uses the ID for the 'Generic Endpoint Timeline' from Elastic
* Adds timeline_id to all process-oriented rules
- Uses the ID for the 'Generic Process Timeline' from Elastic
* Ran tests and toml-lint
* Bumped 'updated_date'
2020-10-27 13:34:16 -05:00
2065af89b1
[Rule Tuning] Tag Categorization Updates ( #380 )
...
* Add new categorization tags
* Change updated_date to 2020/10/26
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >, @bm11100
2020-10-26 13:50:45 -05:00
2e422f7159
[Rule Tuning] Minor Rule Tweaks for 7.10 ( #400 )
...
* Tweak Rules for 7.10
* Add endpoint index for packetbeat rules
* update unit test to account for Network tag as well
* update modified date, add endpoint tag
* use Host instead of Endpoint
* Update packaging.py
* add v back to changelog url
* Add "tag" comment to get_markdown_rule_info
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-10-22 09:07:04 -04:00
0a992d716a
[Rule Tuning] Update EQL rules for 7.10 ( #399 )
...
* update syntax to reflect eql changes
* use more case-insensitivity
* comment out missing fields for winlogbeat compatibility
2020-10-21 12:35:18 -08:00
fd2d36573d
Update logic in rules using fields: process.code_signature.* or process.pe.original_file_name ( #364 )
2020-10-20 15:22:02 -08:00
d3226c72c9
Add test for tactic in rule filename ( #398 )
2020-10-20 14:48:33 -08:00
758e4a2c5b
Add unit tests for rule tags ( #359 )
2020-10-07 19:29:19 -08:00
f34c96f4dc
[Rule Tuning][SECURITY_SOLUTION] rename Endpoint security ( #355 )
2020-10-05 09:55:15 -08:00
0b745c5492
[New Rule] Zoom Meeting with no Passcode ( #292 )
2020-09-30 21:44:45 -08:00
bf202b6b6c
[New Rule] Initial converted EQL rules ( #304 )
...
* 18 converted eql rules (not all prod)
2020-09-30 21:40:55 -08:00
2460333595
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays ( #351 )
2020-09-30 16:16:04 -08:00
d094c76534
[New Rule] Suspicious Zoom ChildProcess ( #245 )
2020-09-30 15:46:33 -08:00
5ba848552a
[New Rule] Post Exploitation Public IP Reconnaissance ( #270 )
2020-09-30 15:36:22 -08:00
e753162fe2
[New Rule] Detecting Unsecure Elasticsearch Nodes ( #109 )
2020-09-30 15:34:38 -08:00
1a260536d4
[New Rule] RAR and PowerShell Downloaded from the Internet ( #30 )
2020-09-30 15:32:44 -08:00
faeac00465
[New Rule] Possible FIN7 Command and Control Behavior ( #28 )
2020-09-30 15:26:13 -08:00
d68e4ac7f0
[New Rule] Hosts File Modified ( #25 )
2020-09-30 15:24:07 -08:00
1620559f1f
[New Rule] Halfbaked C2 Beacon ( #23 )
2020-09-30 15:21:33 -08:00
8caf897a73
[New Rule] Cobalt Strike Beacon ( #21 )
2020-09-30 14:58:24 -08:00
83fb9bdf93
[Rule Tuning] Update event.code to category ( #349 )
2020-09-30 14:34:58 -08:00
cbf465ba01
[New Rule] Kerberos dump using kcc command ( #139 )
...
* [New Rule] Kerberos dump using kcc command
* Delete .gitignore
* Delete vcs.xml
* Delete profiles_settings.xml
* Delete misc.xml
* Delete rules.iml
* Delete modules.xml
* Update credential_access_kerberosdump_kcc.toml
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_kerberosdump_kcc.toml
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-30 23:03:44 +02:00
a212008f8c
[Rule Tuning] Remove event.module from rules for compatibility with agent integrations ( #342 )
2020-09-30 09:41:33 -08:00
f15d179a50
[New Rule]- Credential Access - Domain DPAPI Backup key ( #125 )
...
* new rule - credential access
Domain Backup DPAPI Private Keys Access
* Update credential_access_domain_backup_dpapi_private_keys.toml
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Linted
* added an extra reference
* Update rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-29 21:14:07 +02:00
c6519a2474
[New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity ( #146 )
...
* [New Rule] PrivEsc - Suspicious PrintSpooler FileCreation Activity
Same rule will detect exploitation behavior of CVE-2020-1048, CVE-2020-1337 and CVE-2020-1300
* Update privilege_escalation_printspooler_service_suspicious_file.toml
* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Added references and changed file name to extension as it was closed as bug issue by endpoint dev team
* Update privilege_escalation_printspooler_service_suspicious_file.toml
* Update rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-29 21:11:43 +02:00
cccd91bc1a
[New Rule] - Persistence via Update Orchestrator Service Hijack ( #152 )
...
* [New Rule] - Persistence via Update Orchestrator Service Hijack
* Update persistence_via_update_orchestrator_service_hijack.toml
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-29 18:53:05 +02:00
3ec2d92b42
[New Rule] - Potential Secure File Deletion using SDelete utility ( #162 )
...
* [New Rule] - Potential Secure File Deletion using SDelete utility
* Update defense_evasion_sdelete_like_filename_rename.toml
* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update defense_evasion_sdelete_like_filename_rename.toml
* Update rules/windows/defense_evasion_sdelete_like_filename_rename.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* linted
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-09-29 18:46:29 +02:00
David French