19e0de3bed
[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I ( #573 )
...
* [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I
* added Execution of Persistent Suspicious Program
reworked a bit and converted Endgame rule with ID d3ffda1a-690f-43e2-89fb-f8d67b99b16b Execution of Persistent Scripts
* increased 1m the maxspan
to cover also slow startup
* fixed regsvr32 pe ofn
* adjust format
* fixed process.args
* added more suspicious COM hijack options
added also URL for reference
* fixed key.path and added ScriptletURL
* Update persistence_runtime_run_key_startup_susp_procs.toml
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* eql syntax
* fixed error
* fixed error
* formating
* formating
* formatting
* replaced process name with path
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version
* ecs_version and optimz and refurl
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_services_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* duplicated registry hive instead of leading wildcard
* duplicated registry hive instead of leading wildcard
* Update rules/windows/persistence_appcertdlls_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_run_key_and_startup_broad.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_scripts.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_suspicious_com_hijack_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* lowered maxspan to avoid FPs
* removed cmd to avoid FPs
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appcertdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_registry_uncommon.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_appinitdlls_registry.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
* Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2020-12-08 20:35:18 +01:00
Justin Ibarra