sigma-rules

Author	SHA1	Message	Date
Samirbous	6ca381763d	[New Rule] Execution with Administrator Privileges via Apple Scripting (#777 ) * [New Rule] Execution with Administrator Privileges via Apple Scripting * Update privilege_escalation_applescript_with_admin_privs.toml * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_applescript_with_admin_privs.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-08 17:39:22 +01:00
Samirbous	ef01430ab0	[Rule Tuning] Compression of Keychain Credentials Directories (#787 ) * [Rule Tuning] Access to Keychain Credentials Directories * linted * renmaed rule filename * added keychain filenames added filenames in case of exec from keychain working directory * extra reference * Update rules/macos/credential_access_credentials_keychains.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update credential_access_credentials_keychains.toml * 2021 Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <bmurphy@endgame.com>	2021-02-08 17:31:04 +01:00
Samirbous	79b0a940c5	[New Rule] Attempt to Create a Hidden Local Account (#799 ) * [New Rule] Attempt to Create a Hidden Local Account * adjusted query for perfmc * Update persistence_account_creation_hide_at_logon.toml * Update persistence_account_creation_hide_at_logon.toml * Update rules/macos/persistence_account_creation_hide_at_logon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_account_creation_hide_at_logon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 17:24:56 +01:00
Samirbous	55998ff02a	[New Rule] Creation Attempt of a Hidden Login Item via Apple Script (#801 ) * [New Rule] Creation Attempt of a Hidden Login Item via Apple Script * fixed TID * Update persistence_creation_hidden_login_item_osascript.toml * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_creation_hidden_login_item_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 17:22:01 +01:00
Samirbous	b9a6452001	[New Rule] Attempt to Enable the Root Account (#792 ) * [New Rule] Attempt to Enable the Root Account * Update rules/macos/persistence_enable_root_account.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 17:10:43 +01:00
Samirbous	b73564b541	[Rule Tuning] Remote SSH Login Enabled via systemsetup Command (#783 )	2021-02-08 16:54:39 +01:00
Samirbous	055c8ec4f7	[New Rule] Potential MacOS Privacy Controls Bypass via TCCDB Modification (#765 ) * [New Rule] Potential MacOS Privacy Controls Bypass * added extra ref and arg if exec from TCC current directory * Update defense_evasion_privacy_controls_tcc_database_modification.toml * renamed * Update defense_evasion_privacy_controls_tcc_database_modification.toml * adjusted to catch rogue TCCDB PrivEsc Exploit * Update defense_evasion_privacy_controls_tcc_database_modification.toml * Update defense_evasion_privacy_controls_tcc_database_modification.toml * Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added subtechnique * relinted * Update rules/macos/defense_evasion_privacy_controls_tcc_database_modification.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-08 16:48:53 +01:00
Samirbous	8b8cbcf8dd	[Rule Tuning] Prompt for Credentials with OSASCRIPT (#759 ) * [Rule Tuning] Prompt for Credentials with OSASCRIPT * Update credential_access_promt_for_pwd_via_osascript.toml * Update credential_access_promt_for_pwd_via_osascript.toml * Update rules/macos/credential_access_promt_for_pwd_via_osascript.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * update date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 16:42:23 +01:00
Samirbous	4cb28adece	[New Rule] Sublime Plugin or Application Script Modification (#761 ) * [New Rule] Sublime Plugin or Application Script Modification * excluded some noisy procs * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_modification_sublime_app_plugin_or_script.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added T1554 * fixed tactic Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 16:34:44 +01:00
Samirbous	6a61caa84f	[New Rule] Suspicious Browser Child Process (#767 ) * [New Rule] Suspicious Browser Child Process * auditbeat removed auditbeat process execution does not log the parent process name. * added more suspicious childproc * added perl and php * Update execution_initial_access_suspicious_browser_childproc.toml * Update execution_initial_access_suspicious_browser_childproc.toml * Update execution_initial_access_suspicious_browser_childproc.toml * excluded noisy stuff * Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_initial_access_suspicious_browser_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-08 15:06:18 +01:00
Samirbous	4900c9a018	[New Rule] Potential Office Sandbox Evasion via ZIP File (#834 ) * [New Rule] Potential Office Sandbox Evasion via LaunchAgent ZIP File * adjusted query to account for other autostart paths * adjusted query and description * Update defense_evasion_sandboxed_office_app_suspicious_zip_file.toml * Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_sandboxed_office_app_suspicious_zip_file.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * 2021! Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-04 16:47:58 +01:00
Samirbous	a8931a927c	[New Rule] Safari Settings Modification using Defaults Command (#861 ) * [New Rule] Safari Settings Modification using Defaults Command * exclude some unsensitive changes * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/defense_evasion_safari_config_change.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * added subtechnique Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-02-04 16:38:56 +01:00
Samirbous	6e59996fd0	[New Rule] Access to Browsers Credential Files (#789 ) * [New Rule] Access to Browsers Credential Files * removed Thunderbird from list out of browsers context, may go into a different rule with other mail clients * adjusted Safari cookies path to include for folder access, file access is covered by Cookies.binarycookies check * excluded a noisy arg * Update credential_access_access_to_browser_credentials_procargs.toml * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/macos/credential_access_access_to_browser_credentials_procargs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-04 16:34:49 +01:00
Samirbous	37ccdad0ee	[New Rule] Virtual Private Network Connection Attempt (#912 ) * [New Rule] Virtual Private Network Connection Attempt * fixed tactic_id * Update lateral_movement_vpn_connection_attempt.toml * Update rules/macos/lateral_movement_vpn_connection_attempt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 18:18:09 +01:00
Samirbous	8878104f54	[New Rule] Potential Persistence via Periodic Tasks (#898 ) * [New Rule] Potential Persistence via Periodic Tasks * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_periodic_tasks_file_mdofiy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 18:15:25 +01:00
Samirbous	d733971e99	[New Rule] SoftwareUpdate Preferences Modification (#869 ) * [New Rule] SoftwareUpdate Preferences Modification * Update defense_evasion_apple_softupdates_modification.toml * Update rules/macos/defense_evasion_apple_softupdates_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_apple_softupdates_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * added subtechnique Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 18:12:37 +01:00
Samirbous	b1a8292462	[New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy (#830 ) * [New Rule] Potential Privacy Controls Bypass via Localhost Secure Copy * rename rule * exclude FPs * Update defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml * Update rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_privilege_escalation_privacy_pref_sshd_fulldiskaccess.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-03 17:54:15 +01:00
Samirbous	326bebdebe	[New Rule] Execution via Electron Child Process Node.js Module (#817 ) * [New Rule] Execution via Electron ChildProc Node.js Module * relinted * fixed TID and adjusted KQL for perf * fixed kql * Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_defense_evasion_electron_app_childproc_node_js.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-29 19:06:49 +01:00
Samirbous	ad514eaeab	[New Rule] Attempt to Add an Account to the Admin Group (#803 ) * [New Rule] Attempt to Add an Account to the Admin Group * adjusted query for perf * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_local_user_added_to_admin.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-29 19:03:17 +01:00
Samirbous	cd3f72cf15	[New Rule] Creation of a Hidden Launch Agent or Daemon (#797 ) * [New Rule] Creation of a Hidden Launch Agent or Daemon * updated TID * Update persistence_evasion_hidden_launch_agent_deamon_creation.toml * Update persistence_evasion_hidden_launch_agent_deamon_creation.toml * Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_evasion_hidden_launch_agent_deamon_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * sub-technique stuff * relint Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-29 19:01:15 +01:00
Samirbous	a5ded6513c	[New Rule] Browser Hijack via Setting the Web Proxy to Localhost (#805 ) * [New Rule] Browser Hijack via Setting the Web Proxy to Localhost * fixed dates * adjusted query to include traffic redirection * relinted * added extra arg * reduced severity * Update rules/macos/credential_access_mitm_localhost_webproxy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/credential_access_mitm_localhost_webproxy.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/credential_access_mitm_localhost_webproxy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_mitm_localhost_webproxy.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-29 18:58:14 +01:00
Samirbous	acff6a3a5d	[New Rule] 2 Rules for Persistence via Emond (#832 ) * [New Rule] 2 Rules for Persistence via Emond * removed auditbeat index process.parent.name not captured * Update persistence_emond_rules_process_execution.toml * Update rules/macos/persistence_emond_rules_file_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_emond_rules_process_execution.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_emond_rules_file_creation.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_emond_rules_process_execution.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relint * 2021 * Update persistence_emond_rules_process_execution.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-29 09:16:27 +01:00
brokensound77	ec4c9e77a2	Update revoked technique	2021-01-28 11:03:17 -09:00
brokensound77	bf32dec5a4	Merge remote-tracking branch 'upstream/main' into mergeback/7.11-to-main # Conflicts: # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml	2021-01-28 10:41:39 -09:00
Samirbous	1d77932434	[New Rule] Suspicious MacOS MS Office Child Process (#779 ) * [New Rule] Suspicious MacOS MS Office Child Process * extra bin and ref * Update execution_suspicious_mac_ms_office_child_process.toml * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_suspicious_mac_ms_office_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:55:31 +01:00
Samirbous	c18c5a493a	[New Rule] Dumping of Keychain Content via Security Command (#785 ) * [New Rule] Dumping of Keychain Content via Security Command * converted to eql * added sub-technique * 2021 * Update rules/macos/credential_access_dumping_keychain_security.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-28 19:50:41 +01:00
Samirbous	485c6214fa	[New Rule] Environment Variable Modification using Launchctl (#865 ) * [New Rule] Environment Variable Modification using Launchctl * excluding some FPs * Update defense_evasion_modify_environment_launchctl.toml * Update defense_evasion_modify_environment_launchctl.toml * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/defense_evasion_modify_environment_launchctl.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>	2021-01-26 21:41:30 +01:00
Samirbous	b4cb953aa4	[New Rule] Script Execution via Automator Workflows (#763 ) * [New Rule] Script Execution via Automator Workflows * Update execution_script_via_automator_workflows.toml * Update rules/macos/execution_script_via_automator_workflows.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/macos/execution_script_via_automator_workflows.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-26 09:07:39 +01:00
Samirbous	5d9c031c8b	[New Rule] TCC Bypass via Mounted APFS Snapshot Access (#775 ) * [New Rule] TCC Bypass via Mounted APFS Snapshot Access * Update defense_evasion_tcc_bypass_mounted_apfs_access.toml * conv to kql * Update rules/macos/defense_evasion_tcc_bypass_mounted_apfs_access.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-01-26 08:50:28 +01:00
Samirbous	dc53fc1f04	[New Rule] Persistence via Docker Shortcut Modification (#733 ) * [New Rule] Persistence via Docker Shortcut Modification * ref url decoded * added exclusions * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_docker_shortcuts_plist_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * exclude some noisy procs and conv to kql Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-01-26 08:38:38 +01:00
Samirbous	6883ea0aa6	[New Rule] Potential Persistence via Login Hook (#900 ) * [New Rule] Potential Persistence via Login Hook * Update persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update persistence_loginwindow_plist_modification.toml * Update rules/macos/persistence_loginwindow_plist_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-01-26 08:35:16 +01:00
Justin Ibarra	c1a0438f45	[Rule Tuning] Update ATT&CK threat mappings to reflect changes (#706 ) * replaced/removed all revoked/deprecated techniques * tests will fail on revoked (changed) techniques * tests will fail on deprecated techniques * tests will fail when techniques are mapped to an invalid tactic	2020-12-18 12:46:16 -09:00
Samirbous	b98f5d4042	[New Rule] Launch Agent Creation or Modification followed by Loading (#696 ) * [New Rule] Launch Agent Creation or Modification * replaced file event with a sequence for precision * fixed nice error in query * Update rules/macos/persistence_creation_change_launch_agents_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_creation_change_launch_agents_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * replaced : with == Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 19:08:16 +01:00
Samirbous	725f509700	[New Rule] LaunchDaemon Creation or Modification followed by Loading (#698 ) * [New Rule] LaunchDaemon Creation or Modification followed by Loading * fix technique * Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 16:04:34 +01:00
Samirbous	c76439923b	[New Rule] Attempt to Remove File Quarantine Attribute (#674 ) * [New Rule] Attempt to Remove File Quarantine Attribute * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 12:27:03 +01:00
Samirbous	d1dc7b413e	[New Rule] Apple Script Execution followed by Network Connection (#681 ) * [New Rule] Apple Script Execution followed by Network Connection * Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * excluding LAN and loopback addresses * Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 12:25:03 +01:00
Samirbous	aeb061514c	[New Rule] Persistence via Login and/or Logout Hooks (#683 ) * [New Rule] Persistence via Login and/or Logout Hooks * fixed tags * fixed tags * added logouthook and extra refurl * Update rules/macos/persistence_login_logout_hooks_defaults.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_login_logout_hooks_defaults.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/macos/persistence_login_logout_hooks_defaults.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 12:09:36 +01:00
Samirbous	844a56b125	[New Rule] Execution with Explicit Credentials via Apple Scripting (#689 ) * [New Rule] Execution with Explicit Credentials via Apple Scripting * fixing tactic * Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added ref * Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 11:57:52 +01:00
Samirbous	f756619478	[New Rule] Persistence via Folder Action Script (#685 ) * [New Rule] Persistence via Folder Action Script * Update persistence_folder_action_scripts_runtime.toml * Update rules/macos/persistence_folder_action_scripts_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/persistence_folder_action_scripts_runtime.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 11:51:52 +01:00
Samirbous	b8243f3739	[New Rule] Shell Execution via Apple Scripting (#687 ) * [New Rule] Shell Execution via Apple Scripting * fixed description and relinted * added extra ref url * references url * Update rules/macos/execution_shell_execution_via_apple_scripting.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_shell_execution_via_apple_scripting.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_shell_execution_via_apple_scripting.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 11:45:39 +01:00
Samirbous	da949b0051	[New Rule] Potential SSH Bruteforce Detected (#538 ) * [New Rule] Potential SSH Bruteforce Detected * Update credential_access_potential_ssh_bruteforce.toml * added parent process condition * Update rules/macos/credential_access_potential_ssh_bruteforce.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * spaces * ecs_version * Update rules/macos/credential_access_potential_ssh_bruteforce.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_potential_ssh_bruteforce.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/credential_access_potential_ssh_bruteforce.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-04 17:18:03 +01:00
Justin Ibarra	97ee8cc9ac	Refresh beats and ecs schemas and default to use latest to validate (#570 ) * Refresh beats and ecs schemas and default to use latest to validate * remove incorrect ecs_version from zoom rule * remove stale ecs_version from rules	2020-12-01 13:24:20 -09:00
Samirbous	abea5d0779	[New Rule] Prompt for Credentials with OSASCRIPT (#540 )	2020-11-17 22:25:40 +01:00
Justin Ibarra	f87f2a46f4	[Rule Tuning] Remove all rule timelines (#466 )	2020-11-03 09:51:53 -09:00
Justin Ibarra	da64bacac1	[Rule Tuning] Add timeline_title to rules with timeline IDs defined (#452 )	2020-11-02 14:12:20 -09:00
Derek Ditch	580db2c13e	Add timeline_id to detection rules (#95 ) * Adds timeline_id to all network rules - Uses the ID for the 'Generic Network Timeline' from Elastic * Adds timeline_id to all endpoint rules - Uses the ID for the 'Generic Endpoint Timeline' from Elastic * Adds timeline_id to all process-oriented rules - Uses the ID for the 'Generic Process Timeline' from Elastic * Ran tests and toml-lint * Bumped 'updated_date'	2020-10-27 13:34:16 -05:00
seth-goodwin	2065af89b1	[Rule Tuning] Tag Categorization Updates (#380 ) * Add new categorization tags * Change updated_date to 2020/10/26 Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>, @bm11100	2020-10-26 13:50:45 -05:00
Justin Ibarra	d3226c72c9	Add test for tactic in rule filename (#398 )	2020-10-20 14:48:33 -08:00
Justin Ibarra	758e4a2c5b	Add unit tests for rule tags (#359 )	2020-10-07 19:29:19 -08:00
Justin Ibarra	2460333595	[Rule Tuning] Add extended lookback for all endpoint rules to account for ingest delays (#351 )	2020-09-30 16:16:04 -08:00

1 2 3 4

154 Commits