8ee1b2ffd4
Fix the version lock update code ( #1064 )
...
* Fix the version lock update code
* Add Rule.lock_info() method
2021-03-25 14:48:31 -06:00
c0af222e7e
Move Rule into a dataclass ( #1029 )
...
* WIP: Convert Rule to a dataclass
* Fix make release
* Lint fixes
* Remove dead code
* Fix lint and tests
* Use Python 3.8 in GitHub actions
* Update README to 3.8+
* Add Python 3.8 assertion
* Fix is_dirty property
* Remove incorrect pop from contents
* Add mixin with from_dict() and to_dict() methods
* Bypass validation for deprecated rules
* Fix rule_prompt
* Fix dict_hash usage
* Fix rule_event_search
* Switch to definitions.Date
* Fix toml-lint command, ignoring 'unneeded defaults'
* Moved severity Literal to definitions.Severity
* Remove BaseMarshmallowDataclass
* Fix lint and tests
* Add maturity to metadata for rule prompt loop
* Fix typo in devtools
* Use rule loader to load single rule in toml-lint
* Add Schema hint to __schema method
* Add MITREAttackURL definition
* Fix is_dirty to compare sha<-->sha
* Normalize the autoformatted rule output for API and toml-lint
* Make the package hash match
* Make the rule object mutable but not rule contents
* Restore the rules
2021-03-24 10:24:32 -06:00
cc6711c240
add reference to DGA and solarwinds blogs in ml_dga.md
2021-03-19 10:58:51 -08:00
6963c5a445
Change asset type to security_rule ( #1054 )
...
* Change asset type to security_rule
* Add notice.txt
2021-03-19 08:55:02 -06:00
687c9feba3
[Rule Tuning] Persistence via Login or Logout Hook ( #1020 )
...
* [Rule Tuning] Persistence via Login or Logout Hook
* update date
* Update rules/macos/persistence_login_logout_hooks_defaults.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-19 10:32:51 +01:00
3e1169317f
[Rule Tuning] Timestomping using Touch Command ( #1006 )
...
* [Rule Tuning] Timestomping using Touch Command
* removed process_started from event.type
* update date
* Update defense_evasion_timestomp_touch.toml
* lint and resolve conflict
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-03-19 10:26:40 +01:00
9cff72bbcb
[Rule Tuning] Connection to Commonly Abused Web Services ( #1016 )
2021-03-19 10:23:12 +01:00
dd1214627a
[Rule Tuning] Modification of Environment Variable via Launchctl ( #1010 )
...
* [Rule Tuning] Modification of Environment Variable via Launchctl
* update date
2021-03-19 10:20:04 +01:00
04f3cd967d
[Rule Tuning] Execution from Unusual Directory - Command Line ( #1012 )
...
* [Rule Tuning] Execution from Unusual Directory - Command Line
* format change as per JLB sugg
2021-03-19 10:16:47 +01:00
511a74ef27
[Rule Tuning] Merge and Delete duplicate rules for Registration Utilities ( #1028 )
...
* [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities
* Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* restored Execution via Regsvcs/Regasm
* restored changes
* deprecated 1rule, deleted 1 and tuned 1
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-03-19 10:05:09 +01:00
be3c7eaf45
[Rule Tuning] WebProxy Settings Modification ( #1008 )
...
* [Rule Tuning] WebProxy Settings Modification
* kql optimz test
* update date
2021-03-19 10:00:50 +01:00
83dfe911bc
[Rule Tuning] Program Files Directory Masquerading ( #1018 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-03-19 09:55:08 +01:00
bcc8b6922c
[Rule Tuning] Suspicious macOS MS Office Child Process ( #1022 )
...
* [Rule Tuning] Suspicious macOS MS Office Child Process
* comment for exclusions
* Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-03-19 09:48:27 +01:00
8e139012f7
[Rule Tuning] Unusual Process Execution Path - Alternate Data Stream ( #1014 )
...
* [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream
* Revert "[Rule Tuning] Unusual Process Execution Path - Alternate Data Stream"
This reverts commit 2bf2c33002f08fec1d9cc64da9795bb189625e4d.
* [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream
* Update rules/windows/defense_evasion_unusual_dir_ads.toml
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com >
2021-03-19 09:45:57 +01:00
f800199cc5
[Rule Tuning] Access to Keychain Credentials Directories ( #999 )
...
* [Rule Tuning] Access to Keychain Credentials Directories
* Update rules/macos/credential_access_credentials_keychains.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* update_date
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
2021-03-19 09:42:32 +01:00
04ea1a72c7
[Rule Tuning] Security Software Discovery via Grep ( #994 )
...
* [Rule Tuning] Security Software Discovery via Grep
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/cross-platform/discovery_security_software_grep.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:46:26 +01:00
21290cc055
[Rule Tuning] Command Shell Activity Started via RunDLL32 ( #996 )
...
* [Rule Tuning] Command Shell Activity Started via RunDLL32
* relinted and added FP note
* update_date
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/execution_command_shell_via_rundll32.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:14:22 +01:00
32714b8527
[Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack ( #988 )
...
* [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack
* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:11:42 +01:00
bc74838c0b
[Rule Tuning] Suspicious WerFault Child Process ( #990 )
...
* [Rule Tuning] Suspicious WerFault Child Process
* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-18 15:08:44 +01:00
0ca39df508
remove labeler action files
2021-03-17 19:19:32 -08:00
8e12fe7136
Create labeler.yml
...
add labeler config
2021-03-17 11:40:23 -08:00
d4cc4432ce
Add tests to ensure rules are properly deprecated ( #1050 )
...
* Add tests to ensure rules are properly deprecated
* add deprecate-rule command
2021-03-16 21:31:33 -08:00
93f8f2dd94
Change asset type for integration to security-rule ( #1048 )
2021-03-16 16:05:30 -06:00
5c2da0b5c4
Move Rule.build to cli_utils.rule_prompt ( #1024 )
...
* Move Rule.build to cli_utils.rule_prompt
* Fix build_threat_map_entry lint
* Fix license and add docstring
2021-03-09 16:37:53 -07:00
fc9dfde2c4
Generate an integrations package from a release ( #983 )
...
* Generate an integrations package files during a release build
2021-03-09 13:30:12 -09:00
2fe48e3225
Merge pull request #1004 from brokensound77/merge-7.12-to-main
2021-03-08 20:31:41 -09:00
4b5d2542cf
Merge remote-tracking branch 'upstream/main' into merge-7.12-to-main
2021-03-08 14:41:21 -09:00
0b65678d8c
[Rule tuning] Correct tags with associated threat mappings ( #1003 )
2021-03-08 14:12:29 -09:00
309edf7f4a
Create initial_access_suspicious_ms_exchange_worker_child_process.toml ( #1001 )
2021-03-08 16:45:27 -05:00
0e0b2ea1a4
Update schema for threshold rule type for 7.12 ( #976 )
...
* Update schema for threshold rule type for 7.12
* add downgrade function to drop new fields
* update existing threshold rules
2021-03-05 14:35:50 -09:00
0ef7d87b34
[Rule Tuning] Fix inconsistent rule indexes ( #974 )
...
* [Rule Tuning] Fix inconsistent rule indexes
* cleaned up tests that load rules to leverage setUpClass
2021-03-05 11:16:02 -09:00
3b7eedcc31
wrap azure operation name ( #981 )
2021-03-04 17:50:19 -05:00
4d3ef43b01
[Rule Tuning] Update "Endpoint Security" to "Elastic Endgame" for the relevant Endgame promotion rules ( #978 )
...
* update Endpoint Security to Elastic Endgame for relevant rules
* Update elastic_endpoint_security.toml
* Update test_all_rules.py
2021-03-04 17:21:17 -05:00
4494b02e01
[New Rule] Microsoft Exchange Server’s Unified Messaging Spawning Vulnerability - CVE-2021-26857 ( #979 )
...
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
2021-03-04 16:46:49 -05:00
13a6036fcc
[New Rule] HAFNIUM MS Exchange UM Service Writing - CVE-2021-26858 ( #980 )
...
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <bmurphy@endgame.com >
2021-03-04 12:40:21 -09:00
3fc34b86f2
Update License to Elastic v2 ( #944 )
2021-03-03 22:12:11 -09:00
8c4df09542
[New Rule] Installer Spawning cURL from macOS Package ( #960 )
...
* initial commit
* extra lint extra test
* Update rules/macos/execution_curl_spawned_from_installer_package.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
* Update rules/macos/execution_curl_spawned_from_installer_package.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/execution_curl_spawned_from_installer_package.toml
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
* Update rules/macos/execution_curl_spawned_from_installer_package.toml
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com >
* moved to EQL
* Update rules/macos/execution_installer_spawned_network_event.toml
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com >
Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com >
Co-authored-by: Derek Ditch <dcode@users.noreply.github.com >
2021-02-26 09:46:01 -06:00
3d4aee263f
Update issue templates ( #956 )
2021-02-23 11:16:03 -09:00
7b9ae51bcf
Bump EQL dependency to 0.9.9
...
Also pinned the version more explicitly, so that we're less likely to run into errors and get more deterministic builds.
2021-02-22 11:49:31 -07:00
b04218ec21
[CLI] Add repo option to kibana-diff command ( #952 )
2021-02-17 23:49:40 -09:00
645a0cd67b
[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules ( #945 )
...
* [Rule Tuning] Add timestamp_override field to rules
* add tests for lookback and timestamp_override
* fix dates and add test to ensure updated > creation
2021-02-17 19:49:58 -09:00
134b310fdd
Merge pull request #950 from brokensound77/merge-7.11-to-7.12
...
* lock versions for rule changes in v7.11.0 (#947 )
* [Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948 )
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
* [Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951 )
2021-02-17 14:26:54 -09:00
2e0bb6c617
remove deprecated rule again
2021-02-17 14:15:21 -09:00
a77bd6178f
Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12
...
# Conflicts:
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
2021-02-17 14:11:50 -09:00
90a9320f93
[Rule Tuning] Remove timestamp_override for endgame-* promotion rules ( #951 )
...
* remove timestamp_override from endgame promotion rules
* updated version.lock to previous state for endgame promotion rule changes
* fix incorrect year in updated_date
2021-02-17 13:48:57 -09:00
32e3c02c4e
remove deprecated rule
2021-02-17 12:19:36 -09:00
6ce418877f
Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12
...
# Conflicts:
# etc/version.lock.json
# rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml
# rules/cross-platform/impact_hosts_file_modified.toml
# rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml
# rules/cross-platform/privilege_escalation_sudoers_file_mod.toml
# rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml
# rules/linux/defense_evasion_timestomp_touch.toml
# rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml
# rules/macos/credential_access_credentials_keychains.toml
# rules/macos/credential_access_promt_for_pwd_via_osascript.toml
# rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml
# rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml
# rules/promotions/external_alerts.toml
# rules/windows/collection_email_powershell_exchange_mailbox.toml
# rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml
# rules/windows/collection_winrar_encryption.toml
# rules/windows/command_and_control_common_webservices.toml
# rules/windows/command_and_control_encrypted_channel_freesslcert.toml
# rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml
# rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml
# rules/windows/command_and_control_teamviewer_remote_file_copy.toml
# rules/windows/credential_access_cmdline_dump_tool.toml
# rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml
# rules/windows/credential_access_credential_dumping_msbuild.toml
# rules/windows/credential_access_domain_backup_dpapi_private_keys.toml
# rules/windows/credential_access_dump_registry_hives.toml
# rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml
# rules/windows/credential_access_iis_connectionstrings_dumping.toml
# rules/windows/credential_access_kerberoasting_unusual_process.toml
# rules/windows/credential_access_lsass_memdump_file_created.toml
# rules/windows/credential_access_mimikatz_memssp_default_logs.toml
# rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml
# rules/windows/defense_evasion_clearing_windows_event_logs.toml
# rules/windows/defense_evasion_code_injection_conhost.toml
# rules/windows/defense_evasion_cve_2020_0601.toml
# rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml
# rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml
# rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml
# rules/windows/defense_evasion_dotnet_compiler_parent_process.toml
# rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml
# rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml
# rules/windows/defense_evasion_execution_lolbas_wuauclt.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_script.toml
# rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml
# rules/windows/defense_evasion_execution_msbuild_started_renamed.toml
# rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml
# rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml
# rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml
# rules/windows/defense_evasion_hide_encoded_executable_registry.toml
# rules/windows/defense_evasion_iis_httplogging_disabled.toml
# rules/windows/defense_evasion_injection_msbuild.toml
# rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml
# rules/windows/defense_evasion_masquerading_renamed_autoit.toml
# rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml
# rules/windows/defense_evasion_masquerading_trusted_directory.toml
# rules/windows/defense_evasion_modification_of_boot_config.toml
# rules/windows/defense_evasion_port_forwarding_added_registry.toml
# rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml
# rules/windows/defense_evasion_sdelete_like_filename_rename.toml
# rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml
# rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
# rules/windows/defense_evasion_suspicious_zoom_child_process.toml
# rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml
# rules/windows/defense_evasion_unusual_dir_ads.toml
# rules/windows/defense_evasion_unusual_system_vp_child_program.toml
# rules/windows/defense_evasion_via_filter_manager.toml
# rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml
# rules/windows/discovery_adfind_command_activity.toml
# rules/windows/discovery_admin_recon.toml
# rules/windows/discovery_file_dir_discovery.toml
# rules/windows/discovery_net_command_system_account.toml
# rules/windows/discovery_net_view.toml
# rules/windows/discovery_peripheral_device.toml
# rules/windows/discovery_process_discovery_via_tasklist_command.toml
# rules/windows/discovery_query_registry_via_reg.toml
# rules/windows/discovery_remote_system_discovery_commands_windows.toml
# rules/windows/discovery_security_software_wmic.toml
# rules/windows/discovery_whoami_command_activity.toml
# rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml
# rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml
# rules/windows/execution_command_shell_started_by_powershell.toml
# rules/windows/execution_command_shell_started_by_svchost.toml
# rules/windows/execution_command_shell_started_by_unusual_process.toml
# rules/windows/execution_command_shell_via_rundll32.toml
# rules/windows/execution_from_unusual_directory.toml
# rules/windows/execution_from_unusual_path_cmdline.toml
# rules/windows/execution_shared_modules_local_sxs_dll.toml
# rules/windows/execution_suspicious_cmd_wmi.toml
# rules/windows/execution_suspicious_image_load_wmi_ms_office.toml
# rules/windows/execution_suspicious_pdf_reader.toml
# rules/windows/execution_suspicious_powershell_imgload.toml
# rules/windows/execution_suspicious_psexesvc.toml
# rules/windows/execution_suspicious_short_program_name.toml
# rules/windows/execution_via_compiled_html_file.toml
# rules/windows/execution_via_hidden_shell_conhost.toml
# rules/windows/execution_via_net_com_assemblies.toml
# rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml
# rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml
# rules/windows/initial_access_script_executing_powershell.toml
# rules/windows/initial_access_suspicious_ms_office_child_process.toml
# rules/windows/initial_access_suspicious_ms_outlook_child_process.toml
# rules/windows/initial_access_unusual_dns_service_children.toml
# rules/windows/initial_access_unusual_dns_service_file_writes.toml
# rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml
# rules/windows/lateral_movement_execution_from_tsclient_mup.toml
# rules/windows/lateral_movement_local_service_commands.toml
# rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml
# rules/windows/lateral_movement_rdp_enabled_registry.toml
# rules/windows/lateral_movement_rdp_tunnel_plink.toml
# rules/windows/lateral_movement_remote_file_copy_hidden_share.toml
# rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml
# rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml
# rules/windows/persistence_adobe_hijack_persistence.toml
# rules/windows/persistence_appcertdlls_registry.toml
# rules/windows/persistence_appinitdlls_registry.toml
# rules/windows/persistence_evasion_registry_ifeo_injection.toml
# rules/windows/persistence_gpo_schtask_service_creation.toml
# rules/windows/persistence_local_scheduled_task_commands.toml
# rules/windows/persistence_ms_office_addins_file.toml
# rules/windows/persistence_ms_outlook_vba_template.toml
# rules/windows/persistence_priv_escalation_via_accessibility_features.toml
# rules/windows/persistence_registry_uncommon.toml
# rules/windows/persistence_run_key_and_startup_broad.toml
# rules/windows/persistence_services_registry.toml
# rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml
# rules/windows/persistence_startup_folder_scripts.toml
# rules/windows/persistence_suspicious_com_hijack_registry.toml
# rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml
# rules/windows/persistence_suspicious_scheduled_task_runtime.toml
# rules/windows/persistence_suspicious_service_created_registry.toml
# rules/windows/persistence_system_shells_via_services.toml
# rules/windows/persistence_user_account_creation.toml
# rules/windows/persistence_via_application_shimming.toml
# rules/windows/persistence_via_hidden_run_key_valuename.toml
# rules/windows/persistence_via_lsa_security_support_provider_registry.toml
# rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml
# rules/windows/persistence_via_update_orchestrator_service_hijack.toml
# rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml
# rules/windows/privilege_escalation_named_pipe_impersonation.toml
# rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml
# rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml
# rules/windows/privilege_escalation_rogue_windir_environment_var.toml
# rules/windows/privilege_escalation_uac_bypass_com_clipup.toml
# rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml
# rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml
# rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml
# rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml
# rules/windows/privilege_escalation_uac_bypass_event_viewer.toml
# rules/windows/privilege_escalation_uac_bypass_mock_windir.toml
# rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml
# rules/windows/privilege_escalation_unusual_parentchild_relationship.toml
# rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml
2021-02-17 12:18:06 -09:00
61deed3fd2
[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules ( #948 )
...
* [Rule Tuning] Add timestamp_override field to 7.11.0 rules
* Lock versions for 7.11.2 rules
2021-02-16 10:52:48 -09:00
66be82808c
lock versions for rule changes in v7.11.0 ( #947 )
2021-02-16 09:13:38 -09:00
4e6ff388fc
[Rule Tuning] Feedback from 7.12 Kibana PR ( #942 )
2021-02-11 13:32:58 -09:00
Ross Wolf