6177458bd8
Add empty technique array to rules ( #828 )
...
* [Rule Tuning] Add empty arrays in place of tactic only threat mappings
* dynamically insert empty technique array in payload
* use replace_id as function parameter
2021-01-11 08:58:18 -09:00
a0ae05c78e
Fix spelling of Continuous Monitoring ( #795 )
...
* Fix spelling of Continuous Monitoring
* Update the updated_at date
* Happy new year
2021-01-04 15:05:34 -07:00
992eabd6dc
update incomplete bug fix from 736 for 7.11 -> 7.10 downgrade logic
2020-12-18 22:04:19 -09:00
425e0ddf64
Add flattened subtechniques to rule-search ( #739 )
2020-12-18 14:21:37 -09:00
c1a0438f45
[Rule Tuning] Update ATT&CK threat mappings to reflect changes ( #706 )
...
* replaced/removed all revoked/deprecated techniques
* tests will fail on revoked (changed) techniques
* tests will fail on deprecated techniques
* tests will fail when techniques are mapped to an invalid tactic
2020-12-18 12:46:16 -09:00
627610401c
[Rule Tuning] Update rules for new Fleet integrations ( #729 )
...
* update azure indicies
* remove . in index to match prior cloud rules
* update o365 indicies
* add event.dataset:google_workspace.admin to existing google workspace rules
* gcp syntax
* add gcp index
* update gcp index
* update index patterns for google workspace rules
* update gcp index2
* update updated_date
* update event outcome for azure
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-18 12:23:12 -05:00
7dcb666d81
Fix 7.11 -> 7.10 ATT&CK downgrade logic for optional techiques ( #736 )
2020-12-18 09:28:05 -07:00
331d321648
Make threat.technique optional ( #727 )
2020-12-17 20:22:59 -09:00
39ab9f14e1
strip trailing slash from kibana_url only if defined
2020-12-16 13:00:20 -09:00
889828d473
[New Rule] SUNBURST Command and Control Activity Detected ( #723 )
...
* bump package version to 7.12
* Auth to Kibana connector using an existing cookie (#711 )
* initial commit
* simplified by any method not to solarwinds.com
* Updates from review
* updated desc and note
* query readability
* update to optimize query to pass unit tests
* optimized
* optimized
* Update command_and_control_sunburst_c2_activity_detected.toml
* Restore package version
* updated rule after rebase
* re-lint
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-15 14:41:54 -06:00
79a5ca9b78
[New Rule] APT Solarwinds Backdoor Behavior - 5 rules ( #722 )
...
* bump package version to 7.12
* Auth to Kibana connector using an existing cookie (#711 )
* [New Rule] APT Solarwinds Bakcdoor Behavior - 3 rules
* ruleID
* fixed process names to include both 32 and 64bits
* fixed process names to include both 32 and 64 bits
* deleted unnecessary condition
* adjusted rule to cover cmd and ps
* renamed rule and fixed tactic
* added rule to SW package - Exporting MailBox with Powershell
* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added details to FP tag as sug by JLB
* added rule New ActiveSync Allowed Device Added via PowerShell to SW pkg
* Update rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* relinted
* adjusted desc and FPs
* adjusted alert name as sug by DevK
* Update collection_email_powershell_exchange_mailbox.toml
* Update collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
* Update rules/windows/collection_email_powershell_exchange_mailbox.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/collection_email_powershell_exchange_mailbox.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* updated registry to include symlink
* Update rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* added T1195 as sug by JLB
* added T1195 as sug by JLB
* added T1195 as sug by JLB
* added pwsh as sug by Dan
* added pwsh as sug by Dan
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell (#725 )
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* fixed - added pwsh to seq_netblock
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* Update rules/windows/collection_email_powershell_exchange_mailbox.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Update rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
* Restore packages file
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-12-15 21:33:00 +01:00
b6aa6c6548
Auth to Kibana connector using an existing cookie ( #711 )
2020-12-15 13:20:46 -07:00
3042cbb5d6
[New Rule] Outbound Scheduled Tasks Activity via PowerShell ( #725 )
...
* [New Rule] Outbound Scheduled Tasks Activity via PowerShell
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* fixed - added pwsh to seq_netblock
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/lateral_movement_scheduled_task_powershell_source.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-15 13:20:28 -07:00
c5cae5c437
[New Rule] Azure Active Directory PowerShell Sign-in ( #718 )
...
* Create initial_access_azure_active_directory_powershell_signon.toml
* Apply suggestions from code review
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update initial_access_azure_active_directory_powershell_signin.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-15 11:52:43 -05:00
6b31b96bf8
[New Rule] Azure Service Principal Addition ( #717 )
...
* Create defense_evasion_azure_service_principal_addition.toml
* Update defense_evasion_azure_service_principal_addition.toml
* Update rules/azure/defense_evasion_azure_service_principal_addition.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/azure/defense_evasion_azure_service_principal_addition.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* lint
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-15 11:47:23 -05:00
84ab3db48c
[New Rule] Azure Application Credential Modification ( #716 )
...
* Create defense_evasion_azure_application_credential_modification.toml
* Update rules/azure/defense_evasion_azure_application_credential_modification.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-15 11:41:26 -05:00
a6463b435c
[Rule Tuning] Replace line comments with block comments ( #710 )
2020-12-12 17:11:17 -09:00
7c2abc68d7
[Docs] Update ML_DGA.md ( #707 )
2020-12-09 13:06:35 -09:00
a5cd35f498
AdFind Command Activity ( #395 )
...
* initial commit
* added sub-techniques
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/discovery_adfind_command_activity.toml
* Update rules/windows/discovery_adfind_command_activity.toml
* update threat mapping with sub-techniques
* update technique url
* remove ecs_version
* convert rule to eql
* added sub-techniques
* Update rules/windows/discovery_adfind_command_activity.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-09 15:01:28 -06:00
66506139d9
[New Rule] Detects Mimikatz via Invoke-Mimikatz ( #700 )
...
* initial commit
* lint
* note updates
* convert to eql and moved to dev
* convert to eql and moved to dev
2020-12-09 14:51:45 -06:00
17cf79d076
[New Rule] Default Cobalt Strike Team Server Certificate ( #358 )
...
* initial commit
* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* updated to include sub-techniques
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-09 14:49:31 -06:00
d5eaf5db53
[New Rule] High Number of Process and/or Services Termination ( #672 )
...
* [New Rule] High Number of Process and/or Services Termination
* removed url and fixed ruleid
* fixed tags
* Update rules/windows/defense_evasion_stop_process_service_threshold.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_stop_process_service_threshold.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* Update rules/windows/defense_evasion_stop_process_service_threshold.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_stop_process_service_threshold.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-09 09:00:19 +01:00
14fe63bb1e
[Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process ( #676 )
...
* [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process
* replaced path with name for faster comparaison
* added few more cases and refurl
also organized items per anomaly category
* added extra refurl plus few excep
* Update execution_suspicious_ms_office_child_process.toml
* added parenthesis
* excluded an FP
2020-12-09 08:55:58 +01:00
e272800a5d
Add ATT&CK sub-technique support to CLI ( #614 )
...
* Add Mitre sub-technique support to CLI
* Add subtechnique enum to schema
* Add test to prevent duplicative tactics in mapping
2020-12-08 21:56:55 -09:00
b8d2f6fc96
[Rule Tuning] Possible Consent Grant Attack via Azure-Registered Application ( #575 )
...
* Update initial_access_consent_grant_attack_via_azure_registered_application.toml
* bump updated_date
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-08 17:20:30 -07:00
24828ea9cb
[New Rule] Conversions of some APT-29 Endgame rules ( #702 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 14:13:34 -09:00
598e807a5c
[New Rule] Microsoft 365 Teams Custom Application Interaction Allowed ( #657 )
...
* [New Rule] O365 Teams Custom Application Interaction Allowed
* rebrand to m365, still needed non ecs schema
* Update non-ecs-schema.json
2020-12-08 17:36:47 -05:00
0ed1e1df71
Add support to validate against dev ECS and beats schemas ( #691 )
2020-12-08 13:29:56 -09:00
73e2690ec0
[New Rule] Potential Password Spraying of Microsoft 365 User Accounts ( #665 )
...
* [New Rule] Potential Password Spraying of O365 User Accounts
* Update credential_access_o365_potential_password_spraying_attack.toml
* rebrand to m365
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-08 17:19:39 -05:00
200fbe939e
[Bug] Allow duplicative queries across different rule types ( #704 )
2020-12-08 13:16:59 -09:00
8c92ae7348
Add ATT&CK subtechniques to the schema ( #337 )
...
* Add ATT&CK subtechniques to the schema
* Switch subtechniques to the 7.11 schema
* Make technique still required
* Lint fixes
* Cleanup EQL constant
* Trim more cruft
* Restore EQL for 710
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-08 14:57:30 -07:00
d74b41c1a0
[New Rule] Microsoft 365 Teams External Access Enabled ( #661 )
...
* [New Rule] O365 Teams External Access Enabled
* rebrand to m365, still needed non ecs schema
* update description
* remove non ecs change
2020-12-08 16:48:15 -05:00
6bfe5d3dd8
[New Rule] Microsoft 365 Teams Guest Access Enabled ( #601 )
...
* [New Rule] O365 Teams Guest Access Enabled
* rebrand to m365, still needed non ecs schema
* remove non ecs schma change
2020-12-08 16:44:15 -05:00
6a296c64c5
[New Rule] Microsoft 365 Exchange DKIM Signing Configuration Disabled ( #578 )
...
* [New Rule] O365 Exchange DKIM Signing Configuration Disabled
* rebrand to m365
* still req non ecs schema
* Remove the ECS override
* Update _flatten_schema logic
* Allow fields with * in the path
* Allow explicit fields to overwrite implicit * fields
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
2020-12-08 16:38:00 -05:00
94e8fa80bb
[Rule Tuning] Suspicious Endpoint Security Parent Process ( #509 )
...
* [Rule Tuning] added FPs and converted to EQL for more flexibilty
* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
* adjusted process names in scope to security agents
* eql syntax
* ecs_version
* adjusted format
* Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-08 22:34:28 +01:00
538aa80bba
[New Rule] Process Termination Followed by Deletion ( #482 )
...
* [New Rule] Process Termination Followed by Deletion
* excluded SoftwareDistrib and WinSxS Folders
* added drive letter for better performance
* excluded signed PE
* eql syntax
* ecs_version
* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* added few more extension as suggested by DanStep
* dropped winlogbeat due to pe.codesign
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-08 22:26:11 +01:00
97fa6c62cd
[New Rule] Remote File Download via Powershell ( #660 )
...
* [New Rule] Remote File Download via Powershell
* new line
* eql syntax
* ecs_version
* added google related FPs
* Update rules/windows/command_and_control_remote_file_copy_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/command_and_control_remote_file_copy_powershell.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/command_and_control_remote_file_copy_powershell.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/command_and_control_remote_file_copy_powershell.toml
Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com >
* Update rules/windows/command_and_control_remote_file_copy_powershell.toml
Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com >
* relint
* ecs_version removed
* replaced path with name to avoid FPs for users temp folder
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com >
2020-12-08 21:28:28 +01:00
9792d967d7
[Rule Tuning] Convert to EQL 5 existing rules ( #414 )
...
* [Rule Tuning] 5 rules
* [Rule Tuning] Converted two IIS CredAccess rules to EQL
* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_iis_connectionstrings_dumping.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/evasion_rundll32_no_arguments.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* deleted. rule looks incompatible with endpoint
* fixing units testing error
* Update credential_access_iis_apppoolsa_pwd_appcmd.toml
* Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* desc
* fixed tags duplicate
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update defense_evasion_rundll32_no_arguments.toml
* adjusted process args count to 1
adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs).
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 21:07:26 +01:00
afb00d7097
[New Rule] Encoded Executable Stored in the Registry ( #636 )
...
* [New Rule] Encoded Executable Stored in the Registry
* eql syntax
* ecs_version
* Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 20:51:14 +01:00
19e0de3bed
[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I ( #573 )
...
* [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I
* added Execution of Persistent Suspicious Program
reworked a bit and converted Endgame rule with ID d3ffda1a-690f-43e2-89fb-f8d67b99b16b Execution of Persistent Scripts
* increased 1m the maxspan
to cover also slow startup
* fixed regsvr32 pe ofn
* adjust format
* fixed process.args
* added more suspicious COM hijack options
added also URL for reference
* fixed key.path and added ScriptletURL
* Update persistence_runtime_run_key_startup_susp_procs.toml
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* fixed error
* fixed error
* formating
* formating
* formatting
* replaced process name with path
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version and optimz and refurl
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_services_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* duplicated registry hive instead of leading wildcard
* duplicated registry hive instead of leading wildcard
* Update rules/windows/persistence_appcertdlls_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* lowered maxspan to avoid FPs
* removed cmd to avoid FPs
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appcertdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-08 20:35:18 +01:00
16a49b3278
[New Rule] Windows Script Executing a Process via WMI ( #643 )
...
* [New Rule] Windows Script Executing a Process via WMI
* Update execution_scripts_process_started_via_wmi.toml
* Update execution_scripts_process_started_via_wmi.toml
* Update rules/windows/execution_scripts_process_started_via_wmi.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/execution_scripts_process_started_via_wmi.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/execution_scripts_process_started_via_wmi.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* increased maxspan
* eql syntax
* deleted ecs_version
* Update rules/windows/execution_scripts_process_started_via_wmi.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/execution_scripts_process_started_via_wmi.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/execution_scripts_process_started_via_wmi.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-08 19:23:48 +01:00
b98f5d4042
[New Rule] Launch Agent Creation or Modification followed by Loading ( #696 )
...
* [New Rule] Launch Agent Creation or Modification
* replaced file event with a sequence for precision
* fixed nice error in query
* Update rules/macos/persistence_creation_change_launch_agents_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/persistence_creation_change_launch_agents_file.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* replaced : with ==
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2020-12-08 19:08:16 +01:00
5483712805
[New Rule] Lolbas ImageLoad via Windows Update Client ( #366 )
...
* [New Rule] Lolbas ImageLoad via Windows Update Client
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update defense_evasion_execution_lolbas_wuauclt.toml
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update defense_evasion_execution_lolbas_wuauclt.toml
* removed timeline_id
* new eql synthax
* Update defense_evasion_execution_lolbas_wuauclt.toml
* ecs_version
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* removed new lines
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
* Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* deleted ecs_version
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com >
2020-12-08 18:54:09 +01:00
1c2166b23f
[New Rule] - Execution from Unusual Directory ( #433 )
...
* [New Rule] - Execution from Unusual Directory
* adjusted lint
* Update execution_from_unusual_directory.toml
* small tune
* Update execution_from_unusual_directory.toml
* removed timeline_id
* adjusted executable path for better performance
* Update rules/windows/execution_from_unusual_directory.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/execution_from_unusual_directory.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* update date
* Update rules/windows/execution_from_unusual_directory.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* ecs_version
* converted to eql for case insensitivity
* ecs_version
* fixed path
* added extra path
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-08 18:46:56 +01:00
e7695f862f
[New Rule] Potential Credential Access with LolBas ( #620 )
...
* [New Rule] Potential Credential Access with LolBas
* typo
* added procdump and steam lolbins
* added cisco Jabber lobas
* eql syntax
* ecs_version
* Update rules/windows/credential_access_lolbas_dump_cmdline.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_lolbas_dump_cmdline.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* renamed rule and filename as suggested by DanStep
* adjust name and desc
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 17:56:25 +01:00
6bc4a6b9bb
[New Rule] Linux System Log Files Deleted ( #461 )
...
* [New Rule] Linux System Log Files Deleted
* Update defense_evasion_log_files_deleted.toml
* Update rules/linux/defense_evasion_log_files_deleted.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* added linux to rule name as sug by JLB
* ecs_version
* Update rules/linux/defense_evasion_log_files_deleted.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/defense_evasion_log_files_deleted.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/linux/defense_evasion_log_files_deleted.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* adjusted format
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 17:34:33 +01:00
c0c369181a
[New Rule] New Port Forwarding Rule Added ( #630 )
...
* [New Rule] New Port Forwarding Rule Added
* fiexed rule file name
* eql syntax
* ecs_version
* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_port_forwarding_added_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 17:32:08 +01:00
35ee818854
[Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable ( #502 )
...
* Converted suspicious execution via psexec to EQL
* adjusted procname
* eql syntax
* ecs_version
2020-12-08 17:27:16 +01:00
63759a4bf4
[New Rule] Lsass Memory Dump Created ( #618 )
...
* [New Rule] Lsass Memory Dump Created
* added Dumpert and AndrewSpecial HKTL default memory dump filenames
* added sqldumper default dmp filename
* added Out-Minidump PS default dump filename
* ecs_version
* crackmap default lsass memdmp
* Update rules/windows/credential_access_lsass_memdump_file_created.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_memdump_file_created.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 17:24:51 +01:00
feb79c0304
[New Rule] Suspicious Execution via Scheduled Task ( #584 )
...
* [New Rule] Suspicious Execution via Scheduled Task
* Update persistence_suspicious_scheduled_task_runtime.toml
* Update persistence_suspicious_scheduled_task_runtime.toml
* Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* relinted
* eql syntax
* ecs_version
* added two susp_paths as suggested by Devon
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2020-12-08 17:20:21 +01:00
Justin Ibarra