security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,834 Commits 1 Branch 0 Tags
724e34ba95ffb48d13e18a91c547800986164572
Commit Graph

1322 Commits

Author SHA1 Message Date
Samirbous e707b53a03 [New Rule] Scheduled Jobs AT Protocol Enabled (#609) 
* [New Rule] Scheduled Jobs AT Protocol Enlabled

* fixed typo

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* eql syntax

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:52:17 +01:00
Samirbous 637d06f6c9 [New Rule] Mounting Hidden or WebDav Remote Shares (#444) 
* [New Rule] Mounting Hidden or WebDav Remote Shares

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* Update lateral_movement_mount_hidden_or_webdav_share_net.toml

* removed timeline_id

* adjusted args to avoid leading wildcard

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:50:09 +01:00
Samirbous 0544461b45 [New Rule] Remote Scheduled Task Creation (#598) 
* Remote Scheduled Task Modification

* replaced file modification with registry

replaced file modification with registry to capture the task configured action instead of task name only which is not useful for drill down.

* eql syntax

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_scheduled_task_target.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* adj port number for ross :)

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:40:48 +01:00
Samirbous 7d7d010509 [New Rule] Persistence via Hidden Run Key ValName (#534) 
* [New Rule] Persistence via Hidden Run Key Detected

* added strings length condition

* added description

* Update persistence_via_hidden_run_key_valuename.toml

* Update rules/windows/persistence_via_hidden_run_key_valuename.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* commented length for stability

no logic impact

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:38:23 +01:00
Samirbous 929277486d [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#499) 
* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack

* performance tuning of proc args

* replaced wildcard with in condition

* eql syntax

* ecs_version

Co-authored-by: Brent Murphy <bmurphy@endgame.com>
 2020-12-08 16:34:36 +01:00
Samirbous efba50d670 [New Rule] Enable RDP Through Registry (#632) 
* [New Rule] Enable RDP Through Registry

* eql syntax

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_rdp_enabled_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:32:24 +01:00
Samirbous 6b96b99dc1 [New Rule] Execution from TSClient Mountpoint (#524) 
* [New Rule] Execution from TSClient Mountpoint

* Delete profiles_settings.xml

* Delete modules.xml

* Delete vcs.xml

* Delete windows.iml

* Delete workspace.xml

* eql syntax

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* linted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:30:10 +01:00
Samirbous 58174015bd [New Rule] Privilege Escalation via Windir Environment Variable (#638) 
* [New Rule] Privilege Escalation via Windir Environment Variable

* added equiv envar

* eql syntax

* Update rules/windows/privilege_escalation_rogue_windir_environment_var.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:21:42 +01:00
Samirbous fbecc85593 [New Rule] Incoming DCOM Lateral Movement with MMC (#488) 
* [New Rule] Incoming DCOM Lateral Movement with MMC

* adjusted technique ID

subject to updates to all rules with new MITRE IDs

* added localhost filtering

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_mmc20.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* port numb

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:19:26 +01:00
Samirbous e038b34344 [New Rule] Connection to Commonly Abused Free SSL Certificate Providers (#478) 
* [New Rule] Connection to Commonly Abused Free SSL Certificate Providers

* linted

* added explorer and notepad paths

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* adjusted desc

* eql syntax

* remove ecs_version

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:16:11 +01:00
Samirbous 49abcd7f4d [New Rule] Execution from unusual directory - CommandLine (#435) 
* [New Rule] Execution from unusual directory - cmdline

* Update execution_from_unusual_path_cmdline.toml

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* linted and added note as sug by JLB

* note

* ecs_version

* fixed path

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/execution_from_unusual_path_cmdline.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-08 16:13:52 +01:00
Samirbous 525512fdae [New Rule] Remote File Copy to a Hidden Share (#474) 
* [New Rule] Remote File Copy to a Hidden Share

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/lateral_movement_remote_file_copy_hidden_share.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-08 16:07:18 +01:00
Samirbous 725f509700 [New Rule] LaunchDaemon Creation or Modification followed by Loading (#698) 
* [New Rule] LaunchDaemon Creation or Modification followed by Loading

* fix technique

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/macos/persistence_creation_modif_launch_deamon_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 16:04:34 +01:00
Samirbous 46d6bc69a2 [New Rule] UAC Bypass via Mocking Windir (#411) 
* [New Rule] UAC Bypass via Mocking Windir

* added tags

* changed rule name

* adjusted args for performance

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_mock_windir.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:55:36 +01:00
Samirbous 3040f6103f [New Rule] Suspicious PrintSpooler Point and Print DLL (#641) 
* [New Rule] Suspicious PrintSpooler Point and Print DLL

* added example of execution data to the ref

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update privilege_escalation_printspooler_registry_copyfiles.toml

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted plus extra ref URL

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_printspooler_registry_copyfiles.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 15:07:26 +01:00
Samirbous 3fda16db71 [Rule Tuning] Potential Modification of Accessibility Binaries (#546) 
* [Rule Tuning] Potential Modification of Accessibility Binaries

* replaced wildcard by in

* indentation more consistent for readability

* eql syntax

* ecs_version
 2020-12-08 12:42:34 +01:00
Samirbous d59b2cb72b [New Rule] Persistence with Startup Folder by Unsigned Process (#651) 
* [New Rule] Persistence with Startup Folder by Unsigned Process

* new line

* eql syntax

* ecs_version

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_startup_folder_file_written_by_unsigned_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* dropped winlogbeat index

pe signature check details missing

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:39:44 +01:00
Samirbous 6dc78c4703 [New Rule] Remote File Download via Scripting (#647) 
* [New Rule] Remote File Download via Scripting

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/command_and_control_remote_file_copy_scripts.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* deleted ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:37:51 +01:00
Samirbous c76439923b [New Rule] Attempt to Remove File Quarantine Attribute (#674) 
* [New Rule] Attempt to Remove File Quarantine Attribute

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:27:03 +01:00
Samirbous d1dc7b413e [New Rule] Apple Script Execution followed by Network Connection (#681) 
* [New Rule] Apple Script Execution followed by Network Connection

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* excluding LAN and loopback addresses

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_scripting_osascript_exec_followed_by_netcon.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:25:03 +01:00
Samirbous aeb061514c [New Rule] Persistence via Login and/or Logout Hooks (#683) 
* [New Rule] Persistence via Login and/or Logout Hooks

* fixed tags

* fixed tags

* added logouthook and extra refurl

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* Update rules/macos/persistence_login_logout_hooks_defaults.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:09:36 +01:00
Samirbous bb93988926 [Rule Tuning] Unusual Network Connection via RunDLL32 (#693) 
* [Rule Tuning] Unusual Network Connection via RunDLL32

* excluding dns traffic

* Update rules/windows/execution_unusual_network_connection_via_rundll32.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 12:01:17 +01:00
Samirbous 844a56b125 [New Rule] Execution with Explicit Credentials via Apple Scripting (#689) 
* [New Rule] Execution with Explicit Credentials via Apple Scripting

* fixing tactic

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* added ref

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/privilege_escalation_explicit_creds_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:57:52 +01:00
Samirbous f756619478 [New Rule] Persistence via Folder Action Script (#685) 
* [New Rule] Persistence via Folder Action Script

* Update persistence_folder_action_scripts_runtime.toml

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/persistence_folder_action_scripts_runtime.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:51:52 +01:00
Samirbous b8243f3739 [New Rule] Shell Execution via Apple Scripting (#687) 
* [New Rule] Shell Execution via Apple Scripting

* fixed description and relinted

* added extra ref url

* references url

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/execution_shell_execution_via_apple_scripting.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:45:39 +01:00
Samirbous 3f8a7573f7 [New Rule] Remotely Started Services (#542) 
* [New Rule] Remotely Started Services

* added a common FP msiexec

* Update lateral_movement_remote_services.toml

* eql syntax

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update lateral_movement_remote_services.toml

* port numb

* ecs_version

* added RPC to alert name

* Update rules/windows/lateral_movement_remote_services.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:31:03 +01:00
Samirbous 0f17ad6839 [New Rule] Incoming Execution with WinRM Remote Shell (#616) 
* [New Rule] Incoming Execution with WinRM Remote Shell

* MITRE TID Mapping

removed also unnecessary sequence events

* Update lateral_movement_incoming_winrm_shell_execution.toml

* eql syntax

* ecs_version

* excluding localhost

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_incoming_winrm_shell_execution.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-08 11:28:37 +01:00
Samirbous b477255abe [New Rule] Potential DNS Tunneling with Nslookup (#522) 
* [New Rule] Potential DNS Tunneling with Nslookup

* adjusted tags

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* ecs_version

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/command_and_control_dns_tunneling_nslookup.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:16:17 +01:00
Samirbous 6c37d5c6b4 [New Rule] Potential ProcessHerpaderping Detected (#418) 
* [New Rule] Suspicious Execution via File Overwrite

* Update defense_evasion_overwrite_followed_by_execution.toml

* Update defense_evasion_overwrite_followed_by_execution.toml

* removed timeline_id

* fixed logic and also added references URL

* tuned logic to exclude potential FPs

not an actual FP, but only observed executable file overwrite by default on Windows is related to SoftwareDistribution, this does not match the sequence (Process Execution followed by Same Process File Overwrite) but added it to exclusion just in case.

* adjusted a bit desc and name

* changed rule file name

* adjusted executable.path for performance

avoiding leading wildcard, users can customize rule if they have different drive letters

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* lint

* ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* deleted ecs_version

* Update rules/windows/defense_evasion_potential_processherpaderping.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* changed rule name as per ross sugges

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-07 20:08:12 +01:00
Samirbous af85c27142 [New Rule] Peripheral Device Discovery (#446) 
* [New Rule] Peripheral Device Discovery

* removed timeline_id

* adjusted cmdline

* adjusted args for better performance

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/discovery_peripheral_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:55:19 +01:00
Samirbous 9460618129 [New Rule ] Incoming DCOM Lateral Movement with MSHTA (#459) 
* [New Rule ] Remote Execution via DCOM - MSHTA

* corrected tactic

* removed timeline_id

* added host.id and tightened the netcon clause

* changed rule description and name

* removed parent process names

as condition its optional since process.args is explicit.

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* localhost filtering

* Update rules/windows/lateral_movement_dcom_hta.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 20:49:54 +01:00
Brent Murphy 86b1a56c1b [New Rule] Attempts to Brute Force a Microsoft 365 User Account (#662) 
* [New Rule] Attempts to Brute Force an O365 User Account

* Update credential_access_o365_brute_force_user_account_attempt.toml

* rebrand to m365

* Update credential_access_microsoft_365_brute_force_user_account_attempt.toml

* update description
 2020-12-04 12:40:09 -05:00
Samirbous 181bbcb8c9 [New Rule] Incoming DCOM Lateral Movement with ShellBrowserWindow or ShellWindow (#486) 
* [New Rule] Remote Execution via DCOM - ShellBrowserWindow or ShellWindows

* adjusted rule description and name

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* filtering localhost

* Update lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

* eql syntax

* ecs_version

* Update rules/windows/lateral_movement_dcom_shellwindow_shellbrowserwindow.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted and del ecs_vers

* re-linted

* deleted ecs_version

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:37:31 +01:00
Samirbous da949b0051 [New Rule] Potential SSH Bruteforce Detected (#538) 
* [New Rule] Potential SSH Bruteforce Detected

* Update credential_access_potential_ssh_bruteforce.toml

* added parent process condition

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* spaces

* ecs_version

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/macos/credential_access_potential_ssh_bruteforce.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:18:03 +01:00
Samirbous 5c1229cc63 [New Rule] Suspicious Service ImagePath Created (#603) 
* [New Rule] Suspicious Service ImagePath Created

* fixed rule name

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed technique name

* Update persistence_suspicious_service_created_registry.toml

* new MITRE mapping not yet supported

* eql syntax

* ecs_version

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/persistence_suspicious_service_created_registry.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:14:54 +01:00
Samirbous 7775515b55 [New Rule] Privilege Escalation via Named Pipe Impersonation (#605) 
* [New Rule] Privilege Escalation via Named Pipe Impersonation

* added a reference url

* fixed PS OFN

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/privilege_escalation_named_pipe_impersonation.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 17:05:30 +01:00
Samirbous c7d7bd7fdd [New Rule] Suspicious PowerShell Engine ImageLoad (#559) 
* [New Rule] Suspicious PowerShell Engine ImageLoad

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* eql syntax

* ecs_version

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_powershell_imgload.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-04 16:48:01 +01:00
Samirbous 0eacf484a0 [New Rule] Scheduled Task Created by a Windows Script (#649) 
* [New Rule] Scheduled Task Created via Windows Scripts

* added powershell

* Update persistence_local_scheduled_task_scripting.toml

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* increased maxspan as per Dan sugg

* eql syntax

* eql syntax

* ecs_version

* Update rules/windows/persistence_local_scheduled_task_scripting.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 23:10:51 +01:00
Samirbous 41dd58b151 [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack (#655) 
* [Rule Tuning] Persistence via TelemetryController Scheduled Task Hijack

* ecs_version
 2020-12-03 22:59:46 +01:00
Samirbous 11041e0012 [New Rule] UAC Bypass via privileged IFileOperation (#416) 
* [New Rule] Bypass UAC via privileged IFileOp

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* adjusted file.path for performance

avoiding leading wildcard, rule can be customized by users if default drive letter is different

* new EQL syntax

* Update privilege_escalation_uac_bypass_dll_sideloading.toml

* ecs_version

* removed new lines

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2020-12-03 20:43:57 +01:00
Samirbous 54b926a7bf [Rule Tuning] Process Potentially Masquerading as WerFault (#653) 
* [Rule Tuning] Process Potentially Masquerading as WerFault

* Update defense_evasion_masquerading_werfault.toml

* converted from kql to eql sequence for more precision

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_masquerading_werfault.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* relinted

* relinted

* eql syntax

* ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-03 20:26:37 +01:00
Justin Ibarra 4b6ad77338 [Rule Tuning] Remove usage of winlog.event_data.OriginalFileName (#667) 2020-12-03 01:00:24 -09:00
Samirbous 3ac232085b [New Rule] Remote Desktop Enabled in Windows Firewall (#368) 
* [New Rule] Inbound RDP Enabled

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* changed tags

* expanded args condition

* Update defense_evasion_enable_inbound_rdp_with_netsh.toml

* adjusted process args

* renamed rule and added equivalent process args

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* relinted

* fixing unit test errors

* original file name

* ecs_version

* Update rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2020-12-02 21:27:18 +01:00
Samirbous 30cded7a2d [New Rule] Lateral Movement via Startup Folder (#663) 
* [New Rule] Lateral Movement via Startup Folder

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Update rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:22:43 +01:00
Samirbous 3deff0eeb8 [New Rule] Remote Execution via File Shares (#455) 
* [New Rule] Remote Execution via File Shares

* removed timeline_id

* fixed tags

* added extension to reduce response time

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* ecs_version

* Update rules/windows/lateral_movement_execution_via_file_shares_sequence.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 21:20:13 +01:00
Samirbous e03f775789 [New Rule] Lateral Executable Transfer Over SMB (#517) 
* [New Rule] Lateral Executable Transfer Over SMB

* adjusted maxspan, address and extensions

* changed rule name

* Update rules/windows/lateral_movement_executable_tool_transfer_smb.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* eql syntax

* ecs_version

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2020-12-02 21:03:31 +01:00
Samirbous e6645a8be9 [Rule Tuning] Clearing or Disabling Windows Event Logs (#393) 
* [Rule Tuning] Clearing or Disabling Windows Event Logs

* added tags

* Update defense_evasion_clearing_windows_event_logs.toml

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* updated the rule update date

* linted

* fixing unit test error

* Update rules/windows/defense_evasion_clearing_windows_event_logs.toml

Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>

* ecs_version

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>
 2020-12-02 20:35:35 +01:00
Samirbous db2d17ccb2 [New Rule] Credential Acquisition via Registry Hive Dumping (#607) 
* [New Rule] Credential Acquisition via Registry Hive Dumping

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* fixed MITRE technique details

* fixed TID

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>

* Update credential_access_dump_registry_hives.toml

* as per Justin suggestion case insensitivity is not issue 7.11

* Update credential_access_dump_registry_hives.toml

* new MITRE mapping errors

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_dump_registry_hives.toml

* added :

* changed process.args:(a, b) to process.args: a or process.args:b

while testing on 7.10 process.args : (a , b) generate an error

* adjusted query as per JLB and RW suggestion

* eql syntax

* Update rules/windows/credential_access_dump_registry_hives.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* ecs_version

Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
 2020-12-02 20:31:22 +01:00
Brent Murphy f23881f1b8 [New Rule] Microsoft 365 Exchange DLP Policy Removed (#600) 
* [New Rule] O365 Exchange DLP Policy Removed

* rebrand to m365

* update description
 2020-12-02 14:18:11 -05:00
Brent Murphy 427012ed32 [New Rule] Microsoft 365 Exchange Management Group Role Assignment (#599) 
* [New Rule] O365 Exchange Management Role Assignment

* Update persistence_o365_exchange_management_role_assignment.toml

* rebrand to m365
 2020-12-02 14:11:33 -05:00