1e404cde34
[Suspicious PowerShell Engine ImageLoad] Add Ssms.exe to query exceptions ( #2831 )
...
* Add Ssms.exe to query exceptions
* Changed updated_date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-06-12 16:15:47 -03:00
665bf03ec0
[Rule Tuning] Remote System Discovery Commands ( #2834 )
2023-06-07 14:24:53 -03:00
601788c4df
Added Outlook.exe as a query exception ( #2814 )
...
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-06-06 17:47:25 +01:00
221e756b48
Adjusted exceptions to rule for Nessus ( #2774 )
...
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-06-06 17:39:34 +01:00
05aac4f371
[Security Content] Add Investigation Guides to Windows rules ( #2678 )
...
* [Security Content] Add Investigation Guides to Windows rules
* Update privilege_escalation_service_control_spawned_script_int.toml
* Update execution_reverse_shell_via_named_pipe.toml
* Apply suggestions from code review
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
* Apply suggestions from code review
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
* Update execution_command_prompt_connecting_to_the_internet.toml
---------
Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com >
Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com >
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-05-26 10:25:41 -03:00
0b3f603179
[Rule Tuning] Adding Hidden File Attribute via Attrib ( #2726 )
...
* [New Rule] Adding Hidden File Attribute via Attrib
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-17 10:23:11 -03:00
9f734c2c1f
[Rule Tuning] System Information Discovery via Windows Command Shell ( #2741 )
2023-05-17 09:58:21 -03:00
d017156454
[Rule Tuning] Make Rules Compatible with Windows Forwarded Logs ( #2761 )
...
* [Proposal] [Rule Tuning] Make Intended rules compatible with Windows Forwarded Logs
* Update tests/test_all_rules.py
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
* Update test_all_rules.py
* Update test_all_rules.py
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
2023-05-15 20:31:59 -03:00
6655932190
[Rule Tuning] Startup or Run Key Registry Modification ( #2766 )
...
* [Rule Tuning] Startup or Run Key Registry Modification
* Update persistence_run_key_and_startup_broad.toml
* Apply suggestions from code review
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-05-04 09:42:12 -03:00
d5350ae6e0
[New Rule] Commonly Abused Remote Access Tool Downloaded (New Terms) ( #2685 )
...
* adding initial rule
* changed new terms to host.id
* removed windows integration tag
* removed windows integration tag
* changed rule to be process started related
* rule linted
* updating description
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/command_and_control_new_terms_commonly_abused_rat_execution.toml
* added process.name.caseless to non-ecs.json
* removed host type related to #2761
* added host.os.type
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Colson Wilhoit <48036388+DefSecSentinel@users.noreply.github.com >
2023-05-02 23:09:17 -04:00
2eda02c10e
[Rule Tuning] Multiple Logon Failure from the same Source Address ( #2588 )
...
* Update credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
* Update rules/windows/credential_access_bruteforce_multiple_logon_failure_same_srcip.toml
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-04-24 09:16:17 -03:00
84acf004da
[Rule Tuning] Component Object Model Hijacking ( #2730 )
2023-04-21 18:43:02 -03:00
12d6b49a24
[Rule Tuning] Potential Credential Access via Windows Utilities ( #2727 )
...
* [Rule Tuning] Potential Credential Access via Windows Utilities
* Add system integration index
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-04-21 18:27:44 -03:00
255c53cff0
[Rule Tuning] Connection to Commonly Abused Web Services ( #2728 )
...
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-04-20 18:26:00 -03:00
b1e3215cd5
[Rule Tuning] Tune PowerShell rule FPs related to MS ATP ( #2729 )
2023-04-20 12:37:06 -03:00
fb09208132
[Rule Tuning] Connection to Commonly Abused Web Services ( #2717 )
...
* [Rule Tuning] Connection to Commonly Abused Web Services
* Update command_and_control_common_webservices.toml
2023-04-18 09:15:47 -03:00
16749e45ae
[Rule Tuning] Third-party Backup Files Deleted via Unexpected Process ( #2704 )
...
* [Rule Tuning] Third-party Backup Files Deleted via Unexpected Process
* Update impact_backup_file_deletion.toml
2023-04-11 13:47:52 -03:00
d1aadde671
[Rule Tuning] Suspicious Antimalware Scan Interface DLL ( #2671 ) ( #2672 )
...
* --amend
* --amend
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
2023-04-06 15:15:57 -03:00
1a9b0e732c
[Rule Tuning] Potential PowerShell HackTool Script by Function Names ( #2692 )
2023-04-05 16:48:33 -03:00
eafe54c2cc
[Rule Tuning] Potential LSASS Clone Creation via PssCaptureSnapShot ( #2691 )
2023-04-05 13:28:57 -03:00
5aaac84f3a
[Rule Tuning] Suspicious service was installed in the system ( #2693 )
...
* [Rule Tuning] Suspicious service was installed in the system
* Update persistence_service_windows_service_winlog.toml
2023-04-05 13:23:47 -03:00
0c8d0bfd3d
[New Rule] Suspicious Execution via Microsoft Office Add-Ins ( #2651 )
...
* Create
* Update initial_access_execution_via_office_addins.toml
* Update initial_access_execution_via_office_addins.toml
* Update initial_access_execution_via_office_addins.toml
* Update rules/windows/initial_access_execution_via_office_addins.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-04-05 17:02:04 +01:00
51d50b7d8a
[New Rule] Lsass Process Access - Generic ( #2613 )
...
* Create credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_lsass_openprocess_api.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_lsass_openprocess_api.toml
* Update non-ecs-schema.json
---------
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com >
Co-authored-by: Justin Ibarra <16747370+brokensound77@users.noreply.github.com >
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-04-03 14:34:30 +01:00
892757f4a4
[New Rule] Potential Pass The Hash ( #2670 )
...
* Create lateral_movement_alternate_creds_pth.toml
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/lateral_movement_alternate_creds_pth.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-29 19:37:27 +01:00
5ed2120e3f
[Rule Tuning] Potential Credential Access via Windows Utilities ( #2659 )
...
* [Rule Tuning] Potential Credential Access via Windows Utilities
* Update credential_access_cmdline_dump_tool.toml
2023-03-29 09:32:36 -03:00
411ec36ff0
Validate markdown plugin fields ( #2602 )
2023-03-28 09:17:50 -04:00
192047f46d
[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell ( #2663 )
2023-03-27 11:50:53 -03:00
3bfe3060a2
[Rule Tuning] Uncommon Registry Persistence Change ( #2538 )
...
* [Rule Tuning] Uncommon Registry Persistence Change
* updated updated_date
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-26 00:35:23 +01:00
32ca0001ff
[Rule Tuning] Untrusted Driver Loaded ( #2656 )
2023-03-23 08:26:52 -03:00
295fc323a1
[Rule Tunings] System Time & Service Discovery ( #2589 )
...
* [Rule Tuning] System Time Discovery
* Update rules/windows/discovery_system_service_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/discovery_system_time_discovery.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-14 14:43:21 -04:00
181b56c636
[Rule Tuning] Process Created with an Elevated Token (TiWorker.exe) ( #2622 )
2023-03-07 19:57:34 -05:00
0273d118a6
[Rule Tuning] Add endgame support for Windows Rules ( #2428 )
...
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* Update impact_deleting_backup_catalogs_with_wbadmin.toml
* 1/2
* bump updated_date
* 2/3
* Finale
* Update persistence_evasion_registry_ifeo_injection.toml
* .
* Multiple fixes
* Missing index
* Missing AND
2023-03-06 12:47:11 -03:00
59da2da474
[Rule Tuning] Ensure host information is in endpoint rule queries ( #2593 )
...
* add unit tests to ensure host type and platform are included
* add host.os.name 'linux' to all linux rules
* add host.os.name macos to mac rules
* add host.os.name to windows rules; fix linux dates
* update from host.os.name to host.os.type
Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-03-05 11:41:19 -07:00
a71620a99b
[Rule Tuning] Potential Antimalware Scan Interface Bypass via PowerShell ( #2614 )
2023-03-05 14:59:17 -03:00
1a4510c9d4
[Security Content] Add Investigation Guides to Windows Rules - 2 ( #2534 )
...
* [Security Content] Add Investigation Guides to Windows Rules - 2
* tags
* Adjust some phrasing based on the review
* Update credential_access_bruteforce_admin_account.toml
* Missing Osquery Note
* Missing note
2023-03-01 21:23:09 -03:00
c3d8bac402
[Security Content] Add Investigation Guides to Windows rules ( #2521 )
...
* [Security Content] Add Investigation Guides to Windows rules
* .
* Add IG tag
* Apply suggestions from review
* Address reviews
* address note
* Update defense_evasion_amsi_bypass_dllhijack.toml
* Update defense_evasion_amsi_bypass_powershell.toml
2023-02-22 18:13:13 -03:00
f17b6f1702
[Security Content] Fix verbiage used on Osquery Note ( #2513 )
...
* [Security Content] Fix verbiage used on Osquery Note
* Adjust verbiage
* date bump
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
2023-02-22 12:33:23 -03:00
9bef3857f9
[Rule Tuning] Remote System Discovery Commands ( #2500 )
...
* [Rule Tuning] Remote System Discovery Commands
- Added to query to add additional remote system discovery tools : nltest, dsquery, net
* Update discovery_remote_system_discovery_commands_windows.toml
-added dsget.exe
* update date
* removed git comments
* removed extra ( from query
2023-02-21 18:39:51 -05:00
f04ebf277c
[Rule Tuning] ( #2537 )
...
add t1018 Remote system discovery
2023-02-15 14:58:29 -05:00
7df801f5c2
[Rule Tuning] Add missing techniques ( #2482 )
...
* tune for missing techniques
-added missing techniques to rules
* added same missing techniques to another rule
- updated_date for all files - added missing techniques to a 3rd rule
* added T1057 technique
added T1057 technique for Process discovery
2023-02-10 15:07:19 -05:00
f8e97da549
Rule Tuning Update MITRE Details ( #2526 )
...
Co-authored-by: Isai <59296946+imays11@users.noreply.github.com >
2023-02-10 23:05:28 +05:30
54b2f7582e
Update defense_evasion_unusual_ads_file_creation.toml ( #2522 )
2023-02-07 09:40:42 -03:00
1784429aa7
[FR] Add Integration Schema Query Validation ( #2470 )
2023-02-02 16:22:44 -05:00
cd2307ba7d
[New Rule] FirstTimeSeen User Performing DCSync ( #2433 )
...
* Create credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update credential_access_dcsync_newterm_subjectuser.toml
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
* Update rules/windows/credential_access_dcsync_newterm_subjectuser.toml
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
---------
Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com >
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com >
2023-02-02 15:44:31 +00:00
4bfcbeab36
[Rule Tuning] Unusual Network Activity from a Windows System Binary ( #2509 )
...
* [Rule Tuning] Unusual Network Activity from a Windows System Binary
* Update defense_evasion_network_connection_from_windows_binary.toml
2023-02-01 13:19:28 -03:00
748bdbf8b1
[New Rule] Enumerating Domain Trusts via Dsquery.exe ( #2508 )
...
* [New Rule] Enumerating Domain Trusts via Dsquery.exe
T1482 Domain Trust Discovery
New rule to capture domain trust discovery with dsquery.
* Update discovery_enumerating_domain_trusts_via_dsquery.toml
I think it would be beneficial to add the process.pe.original_file_name : "dsquery.exe" to the rule, as it would be easy for an attacker to bypass this rule by changing the file name, as so: https://prnt.sc/ZqePZKuV1-Vq
Other than that, LGTM!
---------
Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com >
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-02-01 10:27:42 -05:00
c6125004c1
[New Rules] WSL Related Rules ( #2463 )
...
* Create defense_evasion_wsl_registry_modification.toml
* Create defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_child_process.toml
* Update defense_evasion_wsl_filesystem.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_registry_modification.toml
* Update defense_evasion_wsl_child_process.toml
* Create defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_kalilinux.toml
* Create defense_evasion_wsl_enabled_via_dism.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Delete defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_enabled_via_dism.toml
* Create defense_evasion_wsl_bash_exec.toml
* Delete defense_evasion_wsl_bash_exec.toml
* Create defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_bash_exec.toml
* Update defense_evasion_wsl_registry_modification.toml
* Update defense_evasion_wsl_kalilinux.toml
* Update defense_evasion_wsl_kalilinux.toml
2023-02-01 15:10:28 +00:00
7fe08e7856
Update persistence_service_windows_service_winlog.toml ( #2516 )
2023-02-01 14:34:30 +00:00
be5cd23a64
[New Rules] Code Signing Policy Modification ( #2510 )
...
* [New Rules] Code Signing Policy Modification
* Fixed description & tags
* cleaned the query syntax
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_builtin_tools.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
* Update rules/windows/defense_evasion_code_signing_policy_modification_registry.toml
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
---------
Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com >
2023-02-01 15:30:15 +01:00
5a31cb250d
[Rule Tuning] Unusual File Modification by dns.exe ( #2505 )
2023-02-01 11:10:05 -03:00
Eric