security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
796 Commits 1 Branch 0 Tags
8bb2d274511da8cb092e851485964e437520df1d
Commit Graph

587 Commits

Author SHA1 Message Date
Austin Songer 8bb2d27451 [New Rule] GCP Kubernetes Rolebindings Created or Patched (#1267) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/gcp/credential_access_gcp_kubernetes_rolebindings_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update credential_access_gcp_kubernetes_rolebindings_creation.toml

* Update and rename credential_access_gcp_kubernetes_rolebindings_creation.toml to credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Update credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml

* Rename credential_access_gcp_kubernetes_rolebindings_created_or_patched.toml to privilege_escalation_gcp_kubernetes_rolebindings_created_or_patched.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 27ba204f1c)
 2021-10-15 18:43:23 +00:00
Austin Songer 8f55556006 [New Rule] Azure Blob Permissions Modification (#1499) 
* Create defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update defense_evasion_azure_blob_permissions_modified.toml

* Update description and query (spacing)

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 7123d46623)
 2021-10-14 10:00:28 +00:00
Austin Songer 358585b2c1 [New Rule] Azure Kubernetes Events Deleted (#1307) 
* Create defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update defense_evasion_kubernetes_events_deleted.toml

* Update rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Add quotes to azure query field

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3d15c2072d)
 2021-10-14 09:58:32 +00:00
Jonhnathan fe36864c77 [New Rule] PowerShell Suspicious Discovery Related Windows API Functions (#1548) 
* PowerShell Suspicious Discovery Related Windows API Functions Initial Rule

* Update severity

* Lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit b7dcbbae72)
 2021-10-14 09:55:50 +00:00
Jonhnathan 8964e5d646 [Rule Tuning] Update network.direction (#1547) 
* Update network.direction

* bump updated_date

(cherry picked from commit cc241c0b5e)
 2021-10-14 00:47:33 +00:00
Austin Songer 76a60c5ca8 [New Rule] Microsoft 365 - Impossible travel activity (#1344) 
* Create initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Updated Directory

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update rules/integrations/o365/initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_impossible_travel_activity.toml

* Update initial_access_microsoft_365_impossible_travel_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 11fa592c6f)
 2021-10-12 22:12:31 +00:00
Austin Songer 76ca7f5fc9 [New Rule] Microsoft 365 - User Restricted from Sending Email (#1345) 
* Create initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update rules/integrations/o365/initial_access_microsoft_365_user_restricted_from_sending_email.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Update initial_access_microsoft_365_user_restricted_from_sending_email.toml

* Fix technique

* update description and FP

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit c8ac37957d)
 2021-10-12 21:34:01 +00:00
Austin Songer 7cf664b160 [New Rule] Microsoft 365 - Unusual Volume of File Deletion (#1347) 
* Create impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update rules/microsoft-365/impact_microsoft_365_unusual_volume_of_file_deletion.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Update impact_microsoft_365_unusual_volume_of_file_deletion.toml

* Add missing `\`

* Bump to prod and update description

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit fa9da023dd)
 2021-10-12 21:31:50 +00:00
Austin Songer b4d584fbc6 [New Rule] Microsoft 365 - Potential ransomware activity (#1346) 
* Create impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update rules/integrations/o365/impact_microsoft_365_potential_ransomware_activity.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_microsoft_365_potential_ransomware_activity.toml

* Update impact_microsoft_365_potential_ransomware_activity.toml

* bump to prod

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 98c217ece9)
 2021-10-12 21:27:11 +00:00
Austin Songer 088c8a8354 [New Rule] AWS Route Table Modified or Deleted (#1258) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update

* Update .gitignore

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* Update persistence_route_table_modified_or_deleted.toml

* remove space from query

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 82e72a956b)
 2021-10-12 18:17:56 +00:00
David French 7d9f7e6a56 [New Rule] Rules to detect screensaver persistence on macOS (#1531) 
* add macos screensaver persistence rules

* change uuid

* update name

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* add T1546

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit cdbd5a6515)
 2021-10-07 14:24:41 +00:00
LaZyDK 9c9ef21878 Update defense_evasion_execution_windefend_unusual_path.toml (#1492) 
* Update defense_evasion_execution_windefend_unusual_path.toml

Add Microsoft Security Client to exclusions.

* Update defense_evasion_execution_windefend_unusual_path.toml

Update updated_date

* Updated author

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 43f0d77033)
 2021-10-05 19:38:58 +00:00
Austin Songer bd7616e912 [New Rule] AWS ElastiCache Security Group Created (#1363) 
* Create persistence_elasticache_security_group_creation.toml

* Update

* Update rules/integrations/aws/persistence_elasticache_security_group_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Rename persistence_elasticache_security_group_creation.toml to defense_evasion_elasticache_security_group_creation.toml

* Update defense_evasion_elasticache_security_group_creation.toml

* Update defense_evasion_elasticache_security_group_creation.toml

* Re-add rule.threat

* Update rules/integrations/aws/defense_evasion_elasticache_security_group_creation.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* remove extra space from query

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9508002bb3)
 2021-10-05 17:01:33 +00:00
Austin Songer bd8eeae6ca Made these pull requests before the directory restructure. (#1517) 
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3b0d2006b7)
 2021-10-05 12:30:40 +00:00
Austin Songer 29d1ee4ae5 [Rule Tuning] AWS RDS Snapshot Export and AWS RDS Instance Created (#1514) 
(cherry picked from commit 0a3c44e8db)
 2021-10-04 21:32:40 +00:00
Andrew Pease 89cba0af95 [Rule Tuning] Volume Shadow Copy Deletion or Resized via VssAdmin (#1524) 
* Updated rule to include resizing

* lint

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit d5a8f41864)
 2021-10-04 19:01:39 +00:00
Jonhnathan 3471522807 [New Rule] Backup Files Deletion (#1516) 
* Add Backup Files Deletion Initial Rule

* Fix creation date

* Add updated_date

* Adjust description and query

* Update Description

* Update rules/windows/impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Add false_positives

* Update impact_backup_file_deletion.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit f2b58cc0ab)
 2021-10-04 18:56:48 +00:00
Austin Songer c2fc2af03b [New Rule] AWS ElastiCache Security Group Modified or Deleted (#1364) 
* Create impact_aws_elasticache_security_group_modified_or_deleted.toml

* Rename impact_aws_elasticache_security_group_modified_or_deleted.toml to impact_elasticache_security_group_modified_or_deleted.toml

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Update

* Update rules/integrations/aws/impact_elasticache_security_group_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Update impact_elasticache_security_group_modified_or_deleted.toml

* Rename impact_elasticache_security_group_modified_or_deleted.toml to defense_evasion_elasticache_security_group_modified_or_deleted.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit f41714642c)
 2021-10-04 18:39:40 +00:00
Austin Songer d0eaf3ed26 [New Rule] Volume Shadow Copy Deletion via PowerShell (#1358) 
* Create defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/windows/defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Update defense_evasion_volume_shadow_copy_deletion_via_powershell.toml

* Rename defense_evasion_volume_shadow_copy_deletion_via_powershell.toml to impact_volume_shadow_copy_deletion_via_powershell.toml

* Update impact_volume_shadow_copy_deletion_via_powershell.toml

* Add trailing /

* Update rules/windows/impact_volume_shadow_copy_deletion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 6298f7b00a)
 2021-10-04 17:59:07 +00:00
Jonhnathan 8033c0a260 Rename new_or_modified_federation_domain.toml to correspond with tactic (#1511) 
(cherry picked from commit ba9c01be50)
 2021-09-30 21:09:35 +00:00
Jonhnathan ed57d46d15 [Rule Tuning] Small update on rule descriptions (#1508) 
(cherry picked from commit 5e4a7e67df)
 2021-09-30 20:55:18 +00:00
Samirbous 1c70f69b2f [New Rule] Virtual Machine Fingerprinting via Grep (#1510) 
* [New Rule] Virtual Machine Fingerprinting via Grep

* format

* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/cross-platform/discovery_virtual_machine_fingerprinting_grep.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* added reference url

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 76a0224f60)
 2021-09-30 18:41:03 +00:00
Samirbous 6f30bf3f7f [New Rule] Potential Lsass Memory Dump via MirrorDump (#1504) 
* [New Rule] Potential Lsass Memory Dump via MirrorDump

* added tactic

* switched to kql

* added sysmon process access non ecs types

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* rule.name as suggested by Justin and converted to EQL to add comments

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_potential_lsa_memdump_via_mirrordump.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 521e4dc8f1)
 2021-09-30 08:17:42 +00:00
Austin Songer 09f49da822 [New Rule] Azure Frontdoor Web Application Firewall (WAF) Policy Deleted (#1393) 
(cherry picked from commit d28c48f20f)
 2021-09-29 17:09:18 +00:00
Austin Songer ba458dea13 [New Rule] New or Modified Federation Domain (#1212) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create persistence_new-or-modified-federation-domain.toml

* Rename persistence_new-or-modified-federation-domain.toml to persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/microsoft-365/persistence_new_or_modified_federation_domain.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update persistence_new_or_modified_federation_domain.toml

* Update

* Update persistence_new_or_modified_federation_domain.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit a51ed86851)
 2021-09-29 12:17:22 +00:00
Austin Songer 17845c2bf9 [New Rule] O365 Exchange Suspicious Mailbox Right Delegation (#1211) 
(cherry picked from commit 5ac7fb639c)
 2021-09-27 21:19:34 +00:00
Justin Ibarra 371247b0b2 [Rule Tuning] Add system index to Windows Event Logs Cleared (#1502) 
(cherry picked from commit 63d6a54804)
 2021-09-24 17:06:02 +00:00
Jonhnathan 5b13666054 [Rule Tuning] Update threat mappings for Windows rules (#1497) 
* Windows Rules Att&ck Mapping review

* Bump updated_date and fix reference URLs

* Fix subtechnique

* Fix test errors

(cherry picked from commit 61afb1c1c0)
 2021-09-23 17:09:43 +00:00
Austin Songer 216d06ef30 [New Rule] AWS STS GetSessionToken Abuse (#1213) 
* Update impact_iam_deactivate_mfa_device.toml

https://github.com/elastic/detection-rules/issues/1111

* Update impact_iam_deactivate_mfa_device.toml

* Update discovery_post_exploitation_external_ip_lookup.toml

        "*ipapi.co",
        "*ip-lookup.net",
        "*ipstack.com"

* Update rules/aws/impact_iam_deactivate_mfa_device.toml

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>

* Revert "Update discovery_post_exploitation_external_ip_lookup.toml"

This reverts commit b57fd60c9511e20a336d32a9c9b8d5cf9954c50e.

* Update

* New Rule: Okta User Attempted Unauthorized Access

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Update privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Delete privilege_escalation_okta_user_attempted_unauthorized_access.toml

* Create persistence_new-or-modified-federation-domain.toml

* Delete persistence_new-or-modified-federation-domain.toml

* Create lateral_movement_sts_getsessiontoken_abuse.toml

* Rename lateral_movement_sts_getsessiontoken_abuse.toml to privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update rules/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update .gitignore

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update privilege_escalation_sts_getsessiontoken_abuse.toml

* Update

* Update rules/integrations/aws/privilege_escalation_sts_getsessiontoken_abuse.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 93b8038d7d)
 2021-09-22 19:29:04 +00:00
Austin Songer 0610e66ec2 [New Rule] Okta User Attempted Unauthorized Access (#1209) 
(cherry picked from commit 3e2cf4f53e)
 2021-09-22 06:45:27 +00:00
Justin Ibarra 98735808ab [Rule Tuning] Fix typos in rule metadata (#1494) 
Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

(cherry picked from commit 8e3b1d28c4)
 2021-09-21 19:32:05 +00:00
Jonhnathan c1a0398c3f Additional Att&ck Mappings for credential access Rules (#1495) 
Updates MITRE Technique IDs for Credential Access DRs

(cherry picked from commit f6421d8c53)
 2021-09-21 16:05:25 +00:00
Khristinin Nikita 2bb9fdb724 Add default timestamp condition for threat_query (#1486) 
(cherry picked from commit 10a977914b)
 2021-09-20 19:20:58 +00:00
dstepanic17 c864538606 [rule-tuning] Adding more context with triage/investigation (#1481) 
* [rule-tuning] Adding more context with triage/investigation

* Adding mimikatz rule

* Fixed updated date on mimikatz rule

* Adding Defender update

* Adding scheduled task

* Adding AdFind

* Adding rare process

* Adding cloudtrail country

* Adding cloudtrail spike

* Adding threat intel

* Fixed minor spelling/syntax

* Fixed minor spelling/syntax p2

* Update rules/cross-platform/threat_intel_module_match.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/integrations/aws/ml_cloudtrail_error_message_spike.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/ml/ml_rare_process_by_host_windows.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/credential_access_mimikatz_powershell_module.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/defense_evasion_defender_exclusion_via_powershell.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/windows/discovery_adfind_command_activity.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Removed MITRE link, added Microsoft

* Update ml_cloudtrail_error_message_spike.toml

* Update ml_cloudtrail_rare_method_by_country.toml

* Update ml_rare_process_by_host_windows.toml

* Update credential_access_mimikatz_powershell_module.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update discovery_adfind_command_activity.toml

* Update lateral_movement_dns_server_overflow.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

* Update defense_evasion_defender_exclusion_via_powershell.toml

* Update lateral_movement_scheduled_task_target.toml

* Update persistence_evasion_registry_startup_shell_folder_modified.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 9ff3873ee7)
 2021-09-16 01:08:23 +00:00
Justin Ibarra 31202bf4f6 [Rule tuning] Fix typo in ML rule descriptions (#1484) 
(cherry picked from commit 51a2bc815b)
 2021-09-14 16:37:55 +00:00
Samirbous 105a1fd023 [New Rule] Behavior Rule for CVE-2021-40444 Exploitation (#1479) 
* [New Rule] Behavior Rule for CVE-2021-40444 Exploitation

* added a ref

* replaced \ with /

* removed unecessary wildcard

(cherry picked from commit 0875c1e4c4)
 2021-09-08 19:27:16 +00:00
dstepanic17 88bfc67638 Adding control.exe (#1477) 
(cherry picked from commit cb27c686e0)
 2021-09-08 18:31:51 +00:00
Ross Wolf 2ef59e918f Revert #1440 new endpoint promotion rule (#1470) 
* Revert #1440 new endpoint promotion rule
* Set the updated_at date

Removed changes from:
- rules/integrations/endpoint/elastic_endpoint_security_behavior_protection.toml

(selectively cherry picked from commit c9d6527280)
 2021-09-03 14:08:22 +00:00
Justin Ibarra 2a2bcbd870 [Rule tuning] Fix spacing in reference URLs (#1455) 
(cherry picked from commit 655f7d91d0)
 2021-09-01 00:00:06 +00:00
Nic 20a814c47f [Rule tuning] Azure Active Directory High Risk Sign-in (#1463) 
* Add Aggregated Risk Level
* There can be a risk_level_during_signin:low but have a risk_level_aggregated:high which is also just as concerning and must be alerted on.
* An example is a password spray attack and have a successful login. Which makes me consider a new rule for interesting risk event types

(cherry picked from commit 8b2c8c2e03)
 2021-08-30 22:34:47 +00:00
Ross Wolf 1f7c404548 Remove the 7.15+ behavior protection promotion rule 2021-08-26 08:51:38 -06:00
Ross Wolf 34ab6c81d3 [New Rule] Endpoint Security Behavior Protection (#1440) 
* [New Rule] Endpoint Security Behavioral Protection
* Update readme and labeler for endpoint integration
* Fix new rule to use event.code
* Fix old rule to use event.code
* Changed from behavioral to behavior
* Rename elastic_endpoint_security_behavioral.toml to elastic_endpoint_security_behavior_protection.toml
* Back from the future (updated_date)

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

(cherry picked from commit 3b338baab0)
 2021-08-25 15:58:03 +00:00
dstepanic17 689e690f8c [New rule] Webshell Detection (#1448) 
* [new-rule] Webshell Detection

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Added FP note section

* Update rules/windows/persistence_webshell_detection.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 8ddffc298b)
 2021-08-24 20:19:32 +00:00
Justin Ibarra cc75f645b6 [Rule Tuning] Add technique T1005 to 2 rules (#1405) 
(cherry picked from commit 8099e1c733)
 2021-08-20 08:20:32 +00:00
Austin Songer 94190321c1 [Rule Tuning] AWS Security Group Configuration Change Detection (#1426) 
* move rule "AWS Security Group Configuration Change Detection" to integrations directory and add "aws" integration

(cherry picked from commit 3b29498907)
 2021-08-15 04:35:07 +00:00
Christian Clauss 604fd2a18f Fix typos discovered by codespell (#1430) 
(cherry picked from commit ddec37b731)
 2021-08-15 04:30:11 +00:00
Austin Songer e170935f1f [New Rule] AWS EC2 Security Group Configuration Change Detection (#1144) 
(cherry picked from commit 67ba66c8e7)
 2021-08-12 19:38:05 +00:00
David French 9e6c107de5 [New Rule] Whitespace Padding in Process Command Line (#1392) 
* Create defense_evasion_whitespace_padding_in_command_line.toml

* add newline

* update description

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Ross Wolf <31489089+rw-access@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 14493689b9)
 2021-08-11 16:16:05 +00:00
Justin Ibarra 121431b40b Refresh ATT&CK mappings to v9.0 (#1401) 
* Refresh ATT&CK mappings to v9.0
* Update rules to reflect ATT&CK changes

(cherry picked from commit d31ea6253e)
 2021-08-04 22:17:11 +00:00
Justin Ibarra 742253c61d [Rule tuning] Revise rule description and other text (#1398) 
(cherry picked from commit f8f643041a)
 2021-08-03 21:08:48 +00:00