security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
861 Commits 1 Branch 0 Tags
75b8fc94fd25883eff85639a950b6b889058faef
Commit Graph

861 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Samirbous 75b8fc94fd [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation (#1544) 
* [New Rule] Privilege Escalation via Rogue Named Pipe Impersonation

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_via_rogue_named_pipe.toml

* Update rules/windows/privilege_escalation_via_rogue_named_pipe.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 434e2d0426)
 2021-12-08 10:23:08 +00:00
Samirbous 1370ce26fa [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot (#1632) 
* [New Rule] Potential LSASS Clone Creation via PssCaptureSnapShot

Detects the creation of LSASS clone via event 4688 (Sysmon process creation as well as Elastic endpoint don't capture clone creation due to the way 4688 logs process creation event even before an initial threat starts).

* adding extra ref url

(cherry picked from commit e3b76b7cf7)
 2021-12-08 10:18:18 +00:00
Jonhnathan 857ec6ba94 [Rule Tuning] Replaces event.code with event.category on PowerShell ScriptBlock Rules (#1620) 
* Replaces event.code with event.category

* bump updated_date

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 851c566730)
 2021-12-08 06:34:37 +00:00
Jonhnathan 8182d73800 Add issue to min_stack_comment (#1652) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit b7b5449033)
 2021-12-08 00:54:32 +00:00
Justin Ibarra a8919b9070 [Rule Tuning] updates from documentation review for 7.16 (#1645) 
(cherry picked from commit 14c46f50b9)
 2021-12-08 00:45:10 +00:00
Ece Özalp 0b5cae5e2c Updates Host Risk Score documentation (#1643) 
* update host-risk-score.md
* Update docs/experimental-machine-learning/host-risk-score.md

Co-authored-by: Janeen Mikell-Straughn <57149392+jmikell821@users.noreply.github.com>
Co-authored-by: Ryland Herrick <ryalnd@gmail.com>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>

(cherry picked from commit 0935a853fb)
 2021-12-08 00:07:43 +00:00
Jonhnathan f37235581c Add min_stack and indexes back (#1648) 
(cherry picked from commit c21337fe4f)
 2021-12-07 13:02:54 +00:00
Jonhnathan 396cee32f1 [Rule Tuning] Switch "Roshal Archive (RAR) or PowerShell File Downloaded from the Internet" to use KQL (#1651) 
* Update command_and_control_download_rar_powershell_from_internet.toml

* bump updated_date

(cherry picked from commit 7b0383ffe2)
 2021-12-07 12:11:11 +00:00
Jonhnathan e37fc97c57 Limit index to logs-endpoint.events (#1647) 
(cherry picked from commit f6a2437cf8)
 2021-12-06 16:47:17 +00:00
Apoorva Joshi 2ecbc87fed Adding Beaconing docs (#1621) 
* Adding beaconing docs

* Adding a call out about import options

* Adding a note about the AD job

* Adding more clarity on the release bundle

* Update beaconing.md

* Update docs/experimental-machine-learning/beaconing.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 237dcd2e19)
 2021-12-01 16:46:48 +00:00
Samirbous d1fe62d903 [New Rule] Suspicious Process Creation CallTrace (#1588) 
* [New Rule] Suspicious Process Creation CallTrace

* Update non-ecs-schema.json

* added min stack vers

* min_stack_vers not needed

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_suspicious_process_creation_calltrace.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit d43e3d8e4e)
 2021-11-30 20:37:41 +00:00
Apoorva Joshi d1e73cb0c3 Updating host risk score and experimental detections docs (#1639) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit d061bf8e7c)
 2021-11-30 19:26:54 +00:00
Khristinin Nikita d098c58d27 [Rule Tuning] Support ECS 1.11 field for IM rule (#1560) 
* Support ecs field for IM rule

* update time interval

* Change additional lookback to 5 minutes

* Add old rule

* Add newline

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Remove im legacy rule

* Udpdate name and description

* Remove min_stack_comment

* Keep 2 IM rule

* add min_stack_comments to rule

* Update rules/cross-platform/threat_intel_indicator_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* adds new rules

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Ece Özalp <ozale272@newschool.edu>
Co-authored-by: Ece Ozalp <ece.ozalp@elastic.co>

(cherry picked from commit c619844b0d)
 2021-11-30 18:27:52 +00:00
Austin Songer 423145dae7 [New Rule] Azure Kubernetes Rolebindings Created (#1576) 
* Create azure_kubernetes_rolebinding_created_or_deleted.toml

* Update

* Update privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_created_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update rules/integrations/azure/privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified_or_deleted.toml to privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_modified.toml

* Update and rename privilege_escalation_azure_kubernetes_rolebinding_modified.toml to privilege_escalation_azure_kubernetes_rolebinding_created.toml

* Update privilege_escalation_azure_kubernetes_rolebinding_created.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 521f0987ae)
 2021-11-29 12:18:02 +00:00
Austin Songer c49501c4cc [New Rule] Clearing Windows Console History (#1623) 
* Create defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update defense_evasion_clearing_windows_console_history.toml

* Update rules/windows/defense_evasion_clearing_windows_console_history.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* bump severity

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 13fc69b70a)
 2021-11-25 16:27:24 +00:00
Austin Songer 5572d8669e [New Rule] Windows Firewall Disabled (#1565) 
* Create defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Update defense_evasion_windows_firewall_profile_disabled.toml

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Update defense_evasion_windows_firewall_disabled.toml

* Rename defense_evasion_windows_firewall_disabled.toml to defense_evasion_windows_firewall_profile_disabled.toml

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_windows_firewall_profile_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename defense_evasion_windows_firewall_profile_disabled.toml to defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update defense_evasion_powershell_windows_firewall_disabled.toml

* Update rules/windows/defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_powershell_windows_firewall_disabled.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 2ac19440c2)
 2021-11-24 21:36:02 +00:00
LaZyDK 7f59fbb235 [Rule Tuning] Component Object Model Hijacking (#1491) 
* Update persistence_suspicious_com_hijack_registry.toml

Add HKEY_USERS\*Classes\CLSID\*\LocalServer32\ to exclusions.

* Update updated_date

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_suspicious_com_hijack_registry.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit dd3e924e4a)
 2021-11-24 11:59:49 +00:00
Samirbous 3e5ed57546 [New Rule] Potential Credential Access via Renamed COM+ Services DLL (#1569) 
* [New Rule] Potential Credential Access via Renamed COM+ Services DLL

* update dates

* adding config note

* relinted

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_comsvcs_imageload.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update minstack version

* minstack not needed, rule should work on previous versions

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit d1636258e4)
 2021-11-18 09:30:02 +00:00
Samirbous 97bb3d5bc4 [New Rule] Account Password Reset Remotely (#1571) 
* [New Rule] Account Password Reset Remotely

* Update non-ecs-schema.json

* udpate ruleId

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/persistence_remote_password_reset.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 53a17e6b06)
 2021-11-18 09:28:05 +00:00
Austin Songer ffcca8239e [New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579) 
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3dd32608a0)
 2021-11-17 22:40:16 +00:00
Jonhnathan 3f3328a630 [New Rule] PowerShell Keylogging Script (#1561) 
* Create collection_posh_keylogger.toml

* Apply suggestions from Samir

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Fix missing OR

* Change dup guid

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 4b6794df32)
 2021-11-17 22:39:05 +00:00
Austin Songer c6068391a1 [Rule Tuning] Suspicious CertUtil Commands (#1564) 
(cherry picked from commit ab521f7c4f)
 2021-11-17 20:43:07 +00:00
Jonhnathan 0e20e08eef [New Rule] Potential Process Injection via PowerShell (#1552) 
* Create defense_evasion_posh_process_injection.toml

* Update defense_evasion_posh_process_injection.toml

* Update description

* Apply suggestions from code review

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>

* Apply suggestions from Justin

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9c54e21820)
 2021-11-17 10:35:29 +00:00
Samirbous 33f13e25be [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot (#1550) 
* [New Rule] Potential LSASS Memory Dump via PssCaptureSnapShot

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

* lint

* Update etc/non-ecs-schema.json

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* moved FP txt to Note.

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update etc/non-ecs-schema.json

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* fix json

* Update credential_access_suspicious_lsass_access_via_snapshot.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit e99478db00)
 2021-11-17 07:47:39 +00:00
Samirbous 2e067562f1 [New Rule] Potential Credential Access via LSASS Memory Dump (#1533) 
* [New Rule] Potential Credential Access via LSASS Memory Dump

* Update credential_access_suspicious_lsass_access_memdump.toml

* fix typo in calltrace and event.code type

* Update rules/windows/credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_suspicious_lsass_access_memdump.toml

* added TargetImage to non ecs schema

* Update non-ecs-schema.json

* format

* Update credential_access_suspicious_lsass_access_memdump.toml

* Update credential_access_suspicious_lsass_access_memdump.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit c18c08a976)
 2021-11-17 07:38:39 +00:00
github-actions[bot] a06dc65acd Lock versions for releases: 7.13,7.14,7.15,7.16 (#1619) 
* Locked versions for releases: 7.13,7.14,7.15,7.16

(cherry picked from commit f0f3b83eab)
 2021-11-16 09:33:36 +00:00
Justin Ibarra a50bd1ae15 [bug] Current stack version in deprecation lock missing parens (#1618) 
The function was not being properly called, leading to `null` values

(cherry picked from commit bd9e33e761)
 2021-11-16 09:20:32 +00:00
Justin Ibarra e9736b21c9 Fix kibana-pr command (#1616) 
(cherry picked from commit 76503e8bcd)
 2021-11-16 08:56:57 +00:00
Justin Ibarra f306ff195a Update registry release from beta to ga 2021-11-15 21:48:07 -09:00
Jonhnathan 271d460d7f [New Rule] PowerShell Suspicious Script with Audio Capture Capabilities (#1582) 
(cherry picked from commit 858d1cf12c)
 2021-11-16 06:21:37 +00:00
Justin Ibarra 4a0f780d0b Bump min_stack_version in version.lock for specific rules (#1614) 
(cherry picked from commit d78f6354df)
 2021-11-15 23:40:19 +00:00
Justin Ibarra 1e2ede92a1 Test to trigger workflows (#1612) 
(cherry picked from commit 59ba8e1540)
 2021-11-15 19:04:37 +00:00
Justin Ibarra d0ec0f0297 Prepare for creation of 7.16 release branch (#1611) 
Removed changes from:
- etc/packages.yml

(selectively cherry picked from commit 95d7e9b6f5)
 2021-11-15 18:41:47 +00:00
Justin Ibarra 0efae3a52e Move version lock code to object for portability (#1553) 
* Move version lock code to object for portability
* use cached_property to bypass frozen dataclass and set property
* replace load_versions function
 2021-11-15 08:46:12 -09:00
Samirbous 81a62f5f68 [New Rule] Suspicious Process Access via Direct System Call (#1536) 
* [New Rule] Suspicious Process Access via Direct System Call

* updated query to catch also CallTrace with non ntdll modules

* Update rules/windows/defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update defense_evasion_suspicious_process_access_direct_syscall.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-11-15 10:18:26 +01:00
Justin Ibarra 5e6a58ebab Add index as a required field to rule_prompt (#1595) 2021-11-14 17:05:42 -09:00
Jonhnathan 017d9a51b7 [Rule Tuning] Rename extrac.exe to extrac32.exe (#1601) 2021-11-14 17:01:13 -09:00
Adrian Serrano aa219710a1 Fix Windows path causing emoji to be rendered in Kibana (#1585) 
In impact_hosts_file_modified rule, the `note` field contains a Windows
path that causes a confused-face-emoji to be rendered in the
Investigation Guide tab.

Surrounding the path in backticks fixes it.
 2021-11-03 11:01:25 -05:00
Ece Özalp e29a1ca25c Create host-risk-score.md (#1599) 
update the script name to match shipped artifact
 2021-11-03 11:05:59 +03:00
Khristinin Nikita f47b0f61cc Change interval and lookback time for IM rule (#1596) 2021-11-01 09:27:38 +01:00
Justin Ibarra ff16832003 [Rule Tuning] Hosts File Modified - add process check for linux (#1593) 
* [Rule Tuning] Hosts File Modified - add process check for linux

* add echo and sed to process names in query
 2021-10-28 22:56:34 -05:00
Ross Wolf d03e7972a6 Update the marshmallow dependencies in requirements.txt (#1475) 
* Update the marshmallow dependencies in requirements.txt

* Fix typo

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-28 22:50:49 -05:00
Justin Ibarra c8cf88cd62 Refresh ECS (1.12.1) and beats (7.15.1) schemas (#1584) 
* Refresh ECS (1.12.1) and beats (7.15.1) schemas

* update ecs to 1.10 for 7.14 stack validation

* add note with reference url
 2021-10-28 11:24:28 -05:00
Justin Ibarra d12c04761f Add support for eql-wildcard and kql-match_only_text (#1583) 
* Add support for eql-wildcard and kql-match_only_text
* bump kql version
* lookup elasticsearch type family prior to getting type hint
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
 2021-10-28 08:57:43 -05:00
Apoorva Joshi 0b57778be6 Updating docs to highlight explainability (#1542) 
* Updating docs to highlight explainability

* Update typosquatting_rule.md

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 13:34:19 -07:00
Justin Ibarra ab17dfcc28 [Bug] Tighten definitions validation patterns (#1396) 
* [Bug] Anchor validation patterns
* Deprecate rule with invalid rule_id and duplicate as new one

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
 2021-10-26 10:26:20 -05:00
Austin Songer ef7548f04c [Rule Tuning] Added Powershell_ise.exe to some rules. (#1566) 
* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_webshell_detection.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_system_shells_via_services.toml

* Update collection_email_powershell_exchange_mailbox.toml

* Update command_and_control_remote_file_copy_powershell.toml

* Update defense_evasion_clearing_windows_event_logs.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update defense_evasion_disabling_windows_defender_powershell.toml

* Update defense_evasion_execution_msbuild_started_by_script.toml

* Update defense_evasion_suspicious_zoom_child_process.toml

* Update execution_scheduled_task_powershell_source.toml

* Update execution_via_compiled_html_file.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Update initial_access_suspicious_ms_exchange_worker_child_process.toml

* Update persistence_local_scheduled_task_creation.toml

* Update persistence_local_scheduled_task_scripting.toml

* Update persistence_powershell_exch_mailbox_activesync_add_device.toml

* Update persistence_system_shells_via_services.toml

* Update persistence_webshell_detection.toml

* Update rules/windows/persistence_local_scheduled_task_creation.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/initial_access_suspicious_ms_exchange_worker_child_process.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_disabling_windows_defender_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 12:16:31 -03:00
Jonhnathan 239384497f [New Rule] PowerShell MiniDump Script (#1528) 
* PowerShell MiniDump Script Initial Rule

* Update credential_access_posh_minidump.toml

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update credential_access_posh_minidump.toml

* Update rules/windows/credential_access_posh_minidump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
 2021-10-26 12:09:16 -03:00
Jonhnathan 4524c175c8 Add missing Integration field (#1537) 
* Add missing Integration field

* Bump updated_date

* Add test for integration<->path

* Fix rule folder

* bump updated date in rule

Co-authored-by: brokensound77 <brokensound77@users.noreply.github.com>
 2021-10-26 12:05:12 -03:00
Austin Songer 89553d84a9 [New Rule] AWS Route Table Created (#1257) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_created.toml

* Update persistence_route_table_created.toml

* Update rules/persistence_route_table_created.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update persistence_route_table_created.toml

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_created.toml

* Update

* Update

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
 2021-10-26 10:25:53 -03:00