2460333595
[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays ( #351 )
2020-09-30 16:16:04 -08:00
cbf465ba01
[New Rule] Kerberos dump using kcc command ( #139 )
...
* [New Rule] Kerberos dump using kcc command
* Delete .gitignore
* Delete vcs.xml
* Delete profiles_settings.xml
* Delete misc.xml
* Delete rules.iml
* Delete modules.xml
* Update credential_access_kerberosdump_kcc.toml
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update credential_access_kerberosdump_kcc.toml
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/credential_access_kerberosdump_kcc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update credential_access_kerberosdump_kcc.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-30 23:03:44 +02:00
269925ae2e
[New Rule] - MacOS Keychains compression ( #136 )
...
* macOS Keychains compression
* Update exfiltration_compress_credentials_keychains.toml
* Update exfiltration_compress_credentials_keychains.toml
* Update exfiltration_compress_credentials_keychains.toml
* Update rules/macos/exfiltration_compress_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/exfiltration_compress_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/exfiltration_compress_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update exfiltration_compress_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-09-29 10:23:43 +02:00
065bcd8018
Refresh ATT&CK data to v7.2 and expand threat validation ( #330 )
...
* refresh to latest ATT&CK 7.2
* add new unit test to further validate threat mappings
* updated threat mappings in rules to reflect changes
* new func to download and refresh mitre data based on version
2020-09-23 22:03:29 -08:00
3e67e8fada
[New Rule] Remote SSH Login Enabled ( #172 )
...
* [New Rule] Remote SSH Login Enabled
* Update lateral_movement_remote_ssh_login_enabled.toml
* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/lateral_movement_remote_ssh_login_enabled.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-09-22 14:21:20 +02:00
Justin Ibarra