sigma-rules

Author	SHA1	Message	Date
Justin Ibarra	7c2abc68d7	[Docs] Update ML_DGA.md (#707 )	2020-12-09 13:06:35 -09:00
Andrew Pease	a5cd35f498	AdFind Command Activity (#395 ) * initial commit * added sub-techniques * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/discovery_adfind_command_activity.toml * Update rules/windows/discovery_adfind_command_activity.toml * update threat mapping with sub-techniques * update technique url * remove ecs_version * convert rule to eql * added sub-techniques * Update rules/windows/discovery_adfind_command_activity.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-09 15:01:28 -06:00
Andrew Pease	66506139d9	[New Rule] Detects Mimikatz via Invoke-Mimikatz (#700 ) * initial commit * lint * note updates * convert to eql and moved to dev * convert to eql and moved to dev	2020-12-09 14:51:45 -06:00
Andrew Pease	17cf79d076	[New Rule] Default Cobalt Strike Team Server Certificate (#358 ) * initial commit * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * updated to include sub-techniques Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-09 14:49:31 -06:00
Samirbous	d5eaf5db53	[New Rule] High Number of Process and/or Services Termination (#672 ) * [New Rule] High Number of Process and/or Services Termination * removed url and fixed ruleid * fixed tags * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_stop_process_service_threshold.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-09 09:00:19 +01:00
Samirbous	14fe63bb1e	[Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process (#676 ) * [Rule Tuning] Unusual Parent-Child Relationship and Suspicious MS Office Child Process * replaced path with name for faster comparaison * added few more cases and refurl also organized items per anomaly category * added extra refurl plus few excep * Update execution_suspicious_ms_office_child_process.toml * added parenthesis * excluded an FP	2020-12-09 08:55:58 +01:00
Justin Ibarra	e272800a5d	Add ATT&CK sub-technique support to CLI (#614 ) * Add Mitre sub-technique support to CLI * Add subtechnique enum to schema * Add test to prevent duplicative tactics in mapping	2020-12-08 21:56:55 -09:00
David French	b8d2f6fc96	[Rule Tuning] Possible Consent Grant Attack via Azure-Registered Application (#575 ) * Update initial_access_consent_grant_attack_via_azure_registered_application.toml * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 17:20:30 -07:00
Justin Ibarra	24828ea9cb	[New Rule] Conversions of some APT-29 Endgame rules (#702 ) Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 14:13:34 -09:00
Brent Murphy	598e807a5c	[New Rule] Microsoft 365 Teams Custom Application Interaction Allowed (#657 ) * [New Rule] O365 Teams Custom Application Interaction Allowed * rebrand to m365, still needed non ecs schema * Update non-ecs-schema.json	2020-12-08 17:36:47 -05:00
Justin Ibarra	0ed1e1df71	Add support to validate against dev ECS and beats schemas (#691 )	2020-12-08 13:29:56 -09:00
Brent Murphy	73e2690ec0	[New Rule] Potential Password Spraying of Microsoft 365 User Accounts (#665 ) * [New Rule] Potential Password Spraying of O365 User Accounts * Update credential_access_o365_potential_password_spraying_attack.toml * rebrand to m365 Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 17:19:39 -05:00
Justin Ibarra	200fbe939e	[Bug] Allow duplicative queries across different rule types (#704 )	2020-12-08 13:16:59 -09:00
Ross Wolf	8c92ae7348	Add ATT&CK subtechniques to the schema (#337 ) * Add ATT&CK subtechniques to the schema * Switch subtechniques to the 7.11 schema * Make technique still required * Lint fixes * Cleanup EQL constant * Trim more cruft * Restore EQL for 710 Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 14:57:30 -07:00
Brent Murphy	d74b41c1a0	[New Rule] Microsoft 365 Teams External Access Enabled (#661 ) * [New Rule] O365 Teams External Access Enabled * rebrand to m365, still needed non ecs schema * update description * remove non ecs change	2020-12-08 16:48:15 -05:00
Brent Murphy	6bfe5d3dd8	[New Rule] Microsoft 365 Teams Guest Access Enabled (#601 ) * [New Rule] O365 Teams Guest Access Enabled * rebrand to m365, still needed non ecs schema * remove non ecs schma change	2020-12-08 16:44:15 -05:00
Brent Murphy	6a296c64c5	[New Rule] Microsoft 365 Exchange DKIM Signing Configuration Disabled (#578 ) * [New Rule] O365 Exchange DKIM Signing Configuration Disabled * rebrand to m365 * still req non ecs schema * Remove the ECS override * Update _flatten_schema logic * Allow fields with * in the path * Allow explicit fields to overwrite implicit * fields Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>	2020-12-08 16:38:00 -05:00
Samirbous	94e8fa80bb	[Rule Tuning] Suspicious Endpoint Security Parent Process (#509 ) * [Rule Tuning] added FPs and converted to EQL for more flexibilty * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * adjusted process names in scope to security agents * eql syntax * ecs_version * adjusted format * Update rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 22:34:28 +01:00
Samirbous	538aa80bba	[New Rule] Process Termination Followed by Deletion (#482 ) * [New Rule] Process Termination Followed by Deletion * excluded SoftwareDistrib and WinSxS Folders * added drive letter for better performance * excluded signed PE * eql syntax * ecs_version * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/defense_evasion_process_termination_followed_by_deletion.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * added few more extension as suggested by DanStep * dropped winlogbeat due to pe.codesign Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 22:26:11 +01:00
Samirbous	97fa6c62cd	[New Rule] Remote File Download via Powershell (#660 ) * [New Rule] Remote File Download via Powershell * new line * eql syntax * ecs_version * added google related FPs * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com> * Update rules/windows/command_and_control_remote_file_copy_powershell.toml Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com> * relint * ecs_version removed * replaced path with name to avoid FPs for users temp folder Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: seth-goodwin <58222969+seth-goodwin@users.noreply.github.com>	2020-12-08 21:28:28 +01:00
Samirbous	9792d967d7	[Rule Tuning] Convert to EQL 5 existing rules (#414 ) * [Rule Tuning] 5 rules * [Rule Tuning] Converted two IIS CredAccess rules to EQL * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/credential_access_iis_connectionstrings_dumping.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/evasion_rundll32_no_arguments.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * deleted. rule looks incompatible with endpoint * fixing units testing error * Update credential_access_iis_apppoolsa_pwd_appcmd.toml * Update rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * desc * fixed tags duplicate * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * Update rules/windows/defense_evasion_masquerading_renamed_autoit.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_suspicious_zoom_child_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update defense_evasion_rundll32_no_arguments.toml * adjusted process args count to 1 adjusted process args count to 1 to account for winlogbeat Windows process creation events 4688 with missing cmdline value (avoid FPs). Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 21:07:26 +01:00
Samirbous	afb00d7097	[New Rule] Encoded Executable Stored in the Registry (#636 ) * [New Rule] Encoded Executable Stored in the Registry * eql syntax * ecs_version * Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_hide_encoded_executable_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 20:51:14 +01:00
Samirbous	19e0de3bed	[New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I (#573 ) * [New Rule] Convert Endgame EQL Rules to ECS EQL for Persistence Part I * added Execution of Persistent Suspicious Program reworked a bit and converted Endgame rule with ID d3ffda1a-690f-43e2-89fb-f8d67b99b16b Execution of Persistent Scripts * increased 1m the maxspan to cover also slow startup * fixed regsvr32 pe ofn * adjust format * fixed process.args * added more suspicious COM hijack options added also URL for reference * fixed key.path and added ScriptletURL * Update persistence_runtime_run_key_startup_susp_procs.toml * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * eql syntax * fixed error * fixed error * formating * formating * formatting * replaced process name with path * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version * ecs_version and optimz and refurl * Update rules/windows/persistence_appinitdlls_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_registry_uncommon.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_services_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * duplicated registry hive instead of leading wildcard * duplicated registry hive instead of leading wildcard * Update rules/windows/persistence_appcertdlls_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_appinitdlls_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_registry_uncommon.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_run_key_and_startup_broad.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_run_key_and_startup_broad.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_scripts.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_scripts.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_suspicious_com_hijack_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_via_lsa_security_support_provider_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * lowered maxspan to avoid FPs * removed cmd to avoid FPs * Update rules/windows/persistence_registry_uncommon.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_appcertdlls_registry.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_appinitdlls_registry.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_registry_uncommon.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_appinitdlls_registry.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/persistence_runtime_run_key_startup_susp_procs.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 20:35:18 +01:00
Samirbous	16a49b3278	[New Rule] Windows Script Executing a Process via WMI (#643 ) * [New Rule] Windows Script Executing a Process via WMI * Update execution_scripts_process_started_via_wmi.toml * Update execution_scripts_process_started_via_wmi.toml * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * increased maxspan * eql syntax * deleted ecs_version * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_scripts_process_started_via_wmi.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 19:23:48 +01:00
Samirbous	b98f5d4042	[New Rule] Launch Agent Creation or Modification followed by Loading (#696 ) * [New Rule] Launch Agent Creation or Modification * replaced file event with a sequence for precision * fixed nice error in query * Update rules/macos/persistence_creation_change_launch_agents_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/persistence_creation_change_launch_agents_file.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * replaced : with == Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2020-12-08 19:08:16 +01:00
Samirbous	5483712805	[New Rule] Lolbas ImageLoad via Windows Update Client (#366 ) * [New Rule] Lolbas ImageLoad via Windows Update Client * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update defense_evasion_execution_lolbas_wuauclt.toml * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update defense_evasion_execution_lolbas_wuauclt.toml * removed timeline_id * new eql synthax * Update defense_evasion_execution_lolbas_wuauclt.toml * ecs_version * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * removed new lines * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com> * Update rules/windows/defense_evasion_execution_lolbas_wuauclt.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * deleted ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: dstepanic17 <57736958+dstepanic17@users.noreply.github.com>	2020-12-08 18:54:09 +01:00
Samirbous	1c2166b23f	[New Rule] - Execution from Unusual Directory (#433 ) * [New Rule] - Execution from Unusual Directory * adjusted lint * Update execution_from_unusual_directory.toml * small tune * Update execution_from_unusual_directory.toml * removed timeline_id * adjusted executable path for better performance * Update rules/windows/execution_from_unusual_directory.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update rules/windows/execution_from_unusual_directory.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * update date * Update rules/windows/execution_from_unusual_directory.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * ecs_version * converted to eql for case insensitivity * ecs_version * fixed path * added extra path Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 18:46:56 +01:00
Samirbous	e7695f862f	[New Rule] Potential Credential Access with LolBas (#620 ) * [New Rule] Potential Credential Access with LolBas * typo * added procdump and steam lolbins * added cisco Jabber lobas * eql syntax * ecs_version * Update rules/windows/credential_access_lolbas_dump_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_lolbas_dump_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * renamed rule and filename as suggested by DanStep * adjust name and desc Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:56:25 +01:00
Samirbous	6bc4a6b9bb	[New Rule] Linux System Log Files Deleted (#461 ) * [New Rule] Linux System Log Files Deleted * Update defense_evasion_log_files_deleted.toml * Update rules/linux/defense_evasion_log_files_deleted.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added linux to rule name as sug by JLB * ecs_version * Update rules/linux/defense_evasion_log_files_deleted.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/defense_evasion_log_files_deleted.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/linux/defense_evasion_log_files_deleted.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * adjusted format Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:34:33 +01:00
Samirbous	c0c369181a	[New Rule] New Port Forwarding Rule Added (#630 ) * [New Rule] New Port Forwarding Rule Added * fiexed rule file name * eql syntax * ecs_version * Update rules/windows/defense_evasion_port_forwarding_added_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_port_forwarding_added_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_port_forwarding_added_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:32:08 +01:00
Samirbous	35ee818854	[Rule Tuning] Suspicious Process Execution via Renamed PsExec Executable (#502 ) * Converted suspicious execution via psexec to EQL * adjusted procname * eql syntax * ecs_version	2020-12-08 17:27:16 +01:00
Samirbous	63759a4bf4	[New Rule] Lsass Memory Dump Created (#618 ) * [New Rule] Lsass Memory Dump Created * added Dumpert and AndrewSpecial HKTL default memory dump filenames * added sqldumper default dmp filename * added Out-Minidump PS default dump filename * ecs_version * crackmap default lsass memdmp * Update rules/windows/credential_access_lsass_memdump_file_created.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/credential_access_lsass_memdump_file_created.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:24:51 +01:00
Samirbous	feb79c0304	[New Rule] Suspicious Execution via Scheduled Task (#584 ) * [New Rule] Suspicious Execution via Scheduled Task * Update persistence_suspicious_scheduled_task_runtime.toml * Update persistence_suspicious_scheduled_task_runtime.toml * Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/persistence_suspicious_scheduled_task_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * eql syntax * ecs_version * added two susp_paths as suggested by Devon Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:20:21 +01:00
Samirbous	ccea74d9d8	[New Rule] Incoming Execution via PowerShell Remoting (#624 ) * [New Rule] Incoming Execution via PowerShell Remoting * eql syntax * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version * Update rules/windows/lateral_movement_powershell_remoting_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:16:10 +01:00
Samirbous	0479a8f8a3	[New Rule] Image File Execution Options Injection (#550 ) * [New Rule] Image File Execution Options Injection * Update persistence_evasion_registry_ifeo_injection.toml * Update persistence_evasion_registry_ifeo_injection.toml * added FPs section * eql syntax * ecs_version * Update rules/windows/persistence_evasion_registry_ifeo_injection.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:13:00 +01:00
Samirbous	0e78638655	[New Rule] Program Files Directory Masquerading (#581 ) * [New Rule] Program Files Directory Masquerading * adjusted rule description * adj procargs to include dlls and other extensions rundll.exe c:\program files\beacon.dll will be detected for example * eql syntax * ecs_version * Update rules/windows/defense_evasion_masquerading_trusted_directory.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:04:31 +01:00
Samirbous	02e9c082df	[New Rule] Potential SharpRdp Detected (#527 ) * [New Rule] Potential SharpRdp Detected * Updated references * added process execution to the sequence added process execution to the sequence to capture the malicious process details that was executed * Linted * adjusted sequence * linted * adjusted process exec details to avoid procs termination * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_sharprdp_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * eql syntax * eql syntax * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 17:00:51 +01:00
Samirbous	bd2006d70d	[New Rule] WMI Incoming Lateral Movement (#532 ) * [New Rule] WMI Incoming Lateral Movement * Update rules/windows/lateral_movement_incoming_wmi.toml Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> * cirdrmatch returned error on 7.10 replaced by != * Update rules/windows/lateral_movement_incoming_wmi.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * eql syntax * ecs_version Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:57:41 +01:00
Samirbous	16551bbfe7	[New Rule] NTDS or SAM Database File Copied (#622 ) * [New Rule] NTDS or SAM Database File Copied * fixed description * eql syntax * Update rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:55:35 +01:00
Samirbous	e707b53a03	[New Rule] Scheduled Jobs AT Protocol Enabled (#609 ) * [New Rule] Scheduled Jobs AT Protocol Enlabled * fixed typo * Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * eql syntax * Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:52:17 +01:00
Samirbous	637d06f6c9	[New Rule] Mounting Hidden or WebDav Remote Shares (#444 ) * [New Rule] Mounting Hidden or WebDav Remote Shares * Update lateral_movement_mount_hidden_or_webdav_share_net.toml * Update lateral_movement_mount_hidden_or_webdav_share_net.toml * Update lateral_movement_mount_hidden_or_webdav_share_net.toml * Update lateral_movement_mount_hidden_or_webdav_share_net.toml * Update lateral_movement_mount_hidden_or_webdav_share_net.toml * removed timeline_id * adjusted args to avoid leading wildcard * Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:50:09 +01:00
Samirbous	0544461b45	[New Rule] Remote Scheduled Task Creation (#598 ) * Remote Scheduled Task Modification * replaced file modification with registry replaced file modification with registry to capture the task configured action instead of task name only which is not useful for drill down. * eql syntax * Update rules/windows/lateral_movement_scheduled_task_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_scheduled_task_target.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * adj port number for ross :) * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:40:48 +01:00
Samirbous	7d7d010509	[New Rule] Persistence via Hidden Run Key ValName (#534 ) * [New Rule] Persistence via Hidden Run Key Detected * added strings length condition * added description * Update persistence_via_hidden_run_key_valuename.toml * Update rules/windows/persistence_via_hidden_run_key_valuename.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * commented length for stability no logic impact * eql syntax * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 16:38:23 +01:00
Samirbous	929277486d	[Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#499 ) * [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack * performance tuning of proc args * replaced wildcard with in condition * eql syntax * ecs_version Co-authored-by: Brent Murphy <bmurphy@endgame.com>	2020-12-08 16:34:36 +01:00
Samirbous	efba50d670	[New Rule] Enable RDP Through Registry (#632 ) * [New Rule] Enable RDP Through Registry * eql syntax * Update rules/windows/lateral_movement_rdp_enabled_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_enabled_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_rdp_enabled_registry.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:32:24 +01:00
Samirbous	6b96b99dc1	[New Rule] Execution from TSClient Mountpoint (#524 ) * [New Rule] Execution from TSClient Mountpoint * Delete profiles_settings.xml * Delete modules.xml * Delete vcs.xml * Delete windows.iml * Delete workspace.xml * eql syntax * Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version * Update rules/windows/lateral_movement_execution_from_tsclient_mup.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * linted * deleted ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:30:10 +01:00
Samirbous	58174015bd	[New Rule] Privilege Escalation via Windir Environment Variable (#638 ) * [New Rule] Privilege Escalation via Windir Environment Variable * added equiv envar * eql syntax * Update rules/windows/privilege_escalation_rogue_windir_environment_var.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * ecs_version Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:21:42 +01:00
Samirbous	fbecc85593	[New Rule] Incoming DCOM Lateral Movement with MMC (#488 ) * [New Rule] Incoming DCOM Lateral Movement with MMC * adjusted technique ID subject to updates to all rules with new MITRE IDs * added localhost filtering * Update rules/windows/lateral_movement_dcom_mmc20.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * eql syntax * Update rules/windows/lateral_movement_dcom_mmc20.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/lateral_movement_dcom_mmc20.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * port numb Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 16:19:26 +01:00
Samirbous	e038b34344	[New Rule] Connection to Commonly Abused Free SSL Certificate Providers (#478 ) * [New Rule] Connection to Commonly Abused Free SSL Certificate Providers * linted * added explorer and notepad paths * Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * adjusted desc * eql syntax * remove ecs_version * Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/command_and_control_encrypted_channel_freesslcert.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2020-12-08 16:16:11 +01:00
Samirbous	49abcd7f4d	[New Rule] Execution from unusual directory - CommandLine (#435 ) * [New Rule] Execution from unusual directory - cmdline * Update execution_from_unusual_path_cmdline.toml * Update rules/windows/execution_from_unusual_path_cmdline.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * linted and added note as sug by JLB * note * ecs_version * fixed path * Update rules/windows/execution_from_unusual_path_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_from_unusual_path_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_from_unusual_path_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2020-12-08 16:13:52 +01:00

1 2 3 4 5 ...

392 Commits