sigma-rules

Author	SHA1	Message	Date
Samirbous	687c9feba3	[Rule Tuning] Persistence via Login or Logout Hook (#1020 ) * [Rule Tuning] Persistence via Login or Logout Hook * update date * Update rules/macos/persistence_login_logout_hooks_defaults.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-03-19 10:32:51 +01:00
Samirbous	3e1169317f	[Rule Tuning] Timestomping using Touch Command (#1006 ) * [Rule Tuning] Timestomping using Touch Command * removed process_started from event.type * update date * Update defense_evasion_timestomp_touch.toml * lint and resolve conflict Co-authored-by: Brent Murphy <bmurphy@endgame.com>	2021-03-19 10:26:40 +01:00
Samirbous	9cff72bbcb	[Rule Tuning] Connection to Commonly Abused Web Services (#1016 )	2021-03-19 10:23:12 +01:00
Samirbous	dd1214627a	[Rule Tuning] Modification of Environment Variable via Launchctl (#1010 ) * [Rule Tuning] Modification of Environment Variable via Launchctl * update date	2021-03-19 10:20:04 +01:00
Samirbous	04f3cd967d	[Rule Tuning] Execution from Unusual Directory - Command Line (#1012 ) * [Rule Tuning] Execution from Unusual Directory - Command Line * format change as per JLB sugg	2021-03-19 10:16:47 +01:00
Samirbous	511a74ef27	[Rule Tuning] Merge and Delete duplicate rules for Registration Utilities (#1028 ) * [Rule Tuning] Merge and Delete duplicate rules for Registration Utilities * Update rules/windows/execution_register_server_program_connecting_to_the_internet.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * restored Execution via Regsvcs/Regasm * restored changes * deprecated 1rule, deleted 1 and tuned 1 Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-03-19 10:05:09 +01:00
Samirbous	be3c7eaf45	[Rule Tuning] WebProxy Settings Modification (#1008 ) * [Rule Tuning] WebProxy Settings Modification * kql optimz test * update date	2021-03-19 10:00:50 +01:00
Samirbous	83dfe911bc	[Rule Tuning] Program Files Directory Masquerading (#1018 ) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-03-19 09:55:08 +01:00
Samirbous	bcc8b6922c	[Rule Tuning] Suspicious macOS MS Office Child Process (#1022 ) * [Rule Tuning] Suspicious macOS MS Office Child Process * comment for exclusions * Update rules/macos/initial_access_suspicious_mac_ms_office_child_process.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-03-19 09:48:27 +01:00
Samirbous	8e139012f7	[Rule Tuning] Unusual Process Execution Path - Alternate Data Stream (#1014 ) * [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream * Revert "[Rule Tuning] Unusual Process Execution Path - Alternate Data Stream" This reverts commit 2bf2c33002f08fec1d9cc64da9795bb189625e4d. * [Rule Tuning] Unusual Process Execution Path - Alternate Data Stream * Update rules/windows/defense_evasion_unusual_dir_ads.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-03-19 09:45:57 +01:00
Samirbous	f800199cc5	[Rule Tuning] Access to Keychain Credentials Directories (#999 ) * [Rule Tuning] Access to Keychain Credentials Directories * Update rules/macos/credential_access_credentials_keychains.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * update_date Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-03-19 09:42:32 +01:00
Samirbous	04ea1a72c7	[Rule Tuning] Security Software Discovery via Grep (#994 ) * [Rule Tuning] Security Software Discovery via Grep * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/discovery_security_software_grep.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-03-18 15:46:26 +01:00
Samirbous	21290cc055	[Rule Tuning] Command Shell Activity Started via RunDLL32 (#996 ) * [Rule Tuning] Command Shell Activity Started via RunDLL32 * relinted and added FP note * update_date * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/execution_command_shell_via_rundll32.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-03-18 15:14:22 +01:00
Samirbous	32714b8527	[Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack (#988 ) * [Rule Tuning] UAC Bypass via DiskCleanup Scheduled Task Hijack * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-03-18 15:11:42 +01:00
Samirbous	bc74838c0b	[Rule Tuning] Suspicious WerFault Child Process (#990 ) * [Rule Tuning] Suspicious WerFault Child Process * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-03-18 15:08:44 +01:00
Justin Ibarra	d4cc4432ce	Add tests to ensure rules are properly deprecated (#1050 ) * Add tests to ensure rules are properly deprecated * add deprecate-rule command	2021-03-16 21:31:33 -08:00
Justin Ibarra	0b65678d8c	[Rule tuning] Correct tags with associated threat mappings (#1003 )	2021-03-08 14:12:29 -09:00
Brent Murphy	309edf7f4a	Create initial_access_suspicious_ms_exchange_worker_child_process.toml (#1001 )	2021-03-08 16:45:27 -05:00
Justin Ibarra	0e0b2ea1a4	Update schema for threshold rule type for 7.12 (#976 ) * Update schema for threshold rule type for 7.12 * add downgrade function to drop new fields * update existing threshold rules	2021-03-05 14:35:50 -09:00
Justin Ibarra	0ef7d87b34	[Rule Tuning] Fix inconsistent rule indexes (#974 ) * [Rule Tuning] Fix inconsistent rule indexes * cleaned up tests that load rules to leverage setUpClass	2021-03-05 11:16:02 -09:00
Brent Murphy	3b7eedcc31	wrap azure operation name (#981 )	2021-03-04 17:50:19 -05:00
Brent Murphy	4d3ef43b01	[Rule Tuning] Update "Endpoint Security" to "Elastic Endgame" for the relevant Endgame promotion rules (#978 ) * update Endpoint Security to Elastic Endgame for relevant rules * Update elastic_endpoint_security.toml * Update test_all_rules.py	2021-03-04 17:21:17 -05:00
Andrew Pease	4494b02e01	[New Rule] Microsoft Exchange Server’s Unified Messaging Spawning Vulnerability - CVE-2021-26857 (#979 ) Co-authored-by: Brent Murphy <bmurphy@endgame.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-03-04 16:46:49 -05:00
Andrew Pease	13a6036fcc	[New Rule] HAFNIUM MS Exchange UM Service Writing - CVE-2021-26858 (#980 ) Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <bmurphy@endgame.com>	2021-03-04 12:40:21 -09:00
Justin Ibarra	3fc34b86f2	Update License to Elastic v2 (#944 )	2021-03-03 22:12:11 -09:00
Andrew Pease	8c4df09542	[New Rule] Installer Spawning cURL from macOS Package (#960 ) * initial commit * extra lint extra test * Update rules/macos/execution_curl_spawned_from_installer_package.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update rules/macos/execution_curl_spawned_from_installer_package.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_curl_spawned_from_installer_package.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/execution_curl_spawned_from_installer_package.toml Co-authored-by: Derek Ditch <dcode@users.noreply.github.com> * moved to EQL * Update rules/macos/execution_installer_spawned_network_event.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Derek Ditch <dcode@users.noreply.github.com>	2021-02-26 09:46:01 -06:00
Justin Ibarra	645a0cd67b	[Rule Tuning] Add timestamp_override to all query and non-sequence EQL rules (#945 ) * [Rule Tuning] Add timestamp_override field to rules * add tests for lookback and timestamp_override * fix dates and add test to ensure updated > creation	2021-02-17 19:49:58 -09:00
brokensound77	2e0bb6c617	remove deprecated rule again	2021-02-17 14:15:21 -09:00
brokensound77	a77bd6178f	Merge remote-tracking branch 'upstream/7.11' into merge-7.11-to-7.12 # Conflicts: # rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml	2021-02-17 14:11:50 -09:00
Justin Ibarra	90a9320f93	[Rule Tuning] Remove timestamp_override for endgame-* promotion rules (#951 ) * remove timestamp_override from endgame promotion rules * updated version.lock to previous state for endgame promotion rule changes * fix incorrect year in updated_date	2021-02-17 13:48:57 -09:00
brokensound77	32e3c02c4e	remove deprecated rule	2021-02-17 12:19:36 -09:00
brokensound77	6ce418877f	Merge remote-tracking branch 'upstream/7.12' into merge-7.11-to-7.12 # Conflicts: # etc/version.lock.json # rules/cross-platform/defense_evasion_deleting_websvr_access_logs.toml # rules/cross-platform/impact_hosts_file_modified.toml # rules/cross-platform/privilege_escalation_setuid_setgid_bit_set_via_chmod.toml # rules/cross-platform/privilege_escalation_sudoers_file_mod.toml # rules/linux/defense_evasion_deletion_of_bash_command_line_history.toml # rules/linux/defense_evasion_timestomp_touch.toml # rules/linux/privilege_escalation_setgid_bit_set_via_chmod.toml # rules/macos/credential_access_credentials_keychains.toml # rules/macos/credential_access_promt_for_pwd_via_osascript.toml # rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml # rules/network/command_and_control_cobalt_strike_default_teamserver_cert.toml # rules/promotions/external_alerts.toml # rules/windows/collection_email_powershell_exchange_mailbox.toml # rules/windows/collection_persistence_powershell_exch_mailbox_activesync_add_device.toml # rules/windows/collection_winrar_encryption.toml # rules/windows/command_and_control_common_webservices.toml # rules/windows/command_and_control_encrypted_channel_freesslcert.toml # rules/windows/command_and_control_remote_file_copy_desktopimgdownldr.toml # rules/windows/command_and_control_remote_file_copy_mpcmdrun.toml # rules/windows/command_and_control_teamviewer_remote_file_copy.toml # rules/windows/credential_access_cmdline_dump_tool.toml # rules/windows/credential_access_copy_ntds_sam_volshadowcp_cmdline.toml # rules/windows/credential_access_credential_dumping_msbuild.toml # rules/windows/credential_access_domain_backup_dpapi_private_keys.toml # rules/windows/credential_access_dump_registry_hives.toml # rules/windows/credential_access_iis_apppoolsa_pwd_appcmd.toml # rules/windows/credential_access_iis_connectionstrings_dumping.toml # rules/windows/credential_access_kerberoasting_unusual_process.toml # rules/windows/credential_access_lsass_memdump_file_created.toml # rules/windows/credential_access_mimikatz_memssp_default_logs.toml # rules/windows/defense_evasion_adding_the_hidden_file_attribute_with_via_attribexe.toml # rules/windows/defense_evasion_clearing_windows_event_logs.toml # rules/windows/defense_evasion_code_injection_conhost.toml # rules/windows/defense_evasion_cve_2020_0601.toml # rules/windows/defense_evasion_delete_volume_usn_journal_with_fsutil.toml # rules/windows/defense_evasion_deleting_backup_catalogs_with_wbadmin.toml # rules/windows/defense_evasion_disable_windows_firewall_rules_with_netsh.toml # rules/windows/defense_evasion_dotnet_compiler_parent_process.toml # rules/windows/defense_evasion_enable_inbound_rdp_with_netsh.toml # rules/windows/defense_evasion_encoding_or_decoding_files_via_certutil.toml # rules/windows/defense_evasion_execution_lolbas_wuauclt.toml # rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml # rules/windows/defense_evasion_execution_msbuild_started_by_script.toml # rules/windows/defense_evasion_execution_msbuild_started_by_system_process.toml # rules/windows/defense_evasion_execution_msbuild_started_renamed.toml # rules/windows/defense_evasion_execution_msbuild_started_unusal_process.toml # rules/windows/defense_evasion_execution_suspicious_explorer_winword.toml # rules/windows/defense_evasion_execution_via_trusted_developer_utilities.toml # rules/windows/defense_evasion_hide_encoded_executable_registry.toml # rules/windows/defense_evasion_iis_httplogging_disabled.toml # rules/windows/defense_evasion_injection_msbuild.toml # rules/windows/defense_evasion_masquerading_as_elastic_endpoint_process.toml # rules/windows/defense_evasion_masquerading_renamed_autoit.toml # rules/windows/defense_evasion_masquerading_suspicious_werfault_childproc.toml # rules/windows/defense_evasion_masquerading_trusted_directory.toml # rules/windows/defense_evasion_modification_of_boot_config.toml # rules/windows/defense_evasion_port_forwarding_added_registry.toml # rules/windows/defense_evasion_scheduledjobs_at_protocol_enabled.toml # rules/windows/defense_evasion_sdelete_like_filename_rename.toml # rules/windows/defense_evasion_solarwinds_backdoor_service_disabled_via_registry.toml # rules/windows/defense_evasion_suspicious_managedcode_host_process.toml # rules/windows/defense_evasion_suspicious_zoom_child_process.toml # rules/windows/defense_evasion_system_critical_proc_abnormal_file_activity.toml # rules/windows/defense_evasion_unusual_dir_ads.toml # rules/windows/defense_evasion_unusual_system_vp_child_program.toml # rules/windows/defense_evasion_via_filter_manager.toml # rules/windows/defense_evasion_volume_shadow_copy_deletion_via_wmic.toml # rules/windows/discovery_adfind_command_activity.toml # rules/windows/discovery_admin_recon.toml # rules/windows/discovery_file_dir_discovery.toml # rules/windows/discovery_net_command_system_account.toml # rules/windows/discovery_net_view.toml # rules/windows/discovery_peripheral_device.toml # rules/windows/discovery_process_discovery_via_tasklist_command.toml # rules/windows/discovery_query_registry_via_reg.toml # rules/windows/discovery_remote_system_discovery_commands_windows.toml # rules/windows/discovery_security_software_wmic.toml # rules/windows/discovery_whoami_command_activity.toml # rules/windows/execution_apt_solarwinds_backdoor_child_cmd_powershell.toml # rules/windows/execution_apt_solarwinds_backdoor_unusual_child_processes.toml # rules/windows/execution_command_shell_started_by_powershell.toml # rules/windows/execution_command_shell_started_by_svchost.toml # rules/windows/execution_command_shell_started_by_unusual_process.toml # rules/windows/execution_command_shell_via_rundll32.toml # rules/windows/execution_from_unusual_directory.toml # rules/windows/execution_from_unusual_path_cmdline.toml # rules/windows/execution_shared_modules_local_sxs_dll.toml # rules/windows/execution_suspicious_cmd_wmi.toml # rules/windows/execution_suspicious_image_load_wmi_ms_office.toml # rules/windows/execution_suspicious_pdf_reader.toml # rules/windows/execution_suspicious_powershell_imgload.toml # rules/windows/execution_suspicious_psexesvc.toml # rules/windows/execution_suspicious_short_program_name.toml # rules/windows/execution_via_compiled_html_file.toml # rules/windows/execution_via_hidden_shell_conhost.toml # rules/windows/execution_via_net_com_assemblies.toml # rules/windows/execution_via_xp_cmdshell_mssql_stored_procedure.toml # rules/windows/impact_volume_shadow_copy_deletion_via_vssadmin.toml # rules/windows/initial_access_script_executing_powershell.toml # rules/windows/initial_access_suspicious_ms_office_child_process.toml # rules/windows/initial_access_suspicious_ms_outlook_child_process.toml # rules/windows/initial_access_unusual_dns_service_children.toml # rules/windows/initial_access_unusual_dns_service_file_writes.toml # rules/windows/initial_access_via_explorer_suspicious_child_parent_args.toml # rules/windows/lateral_movement_execution_from_tsclient_mup.toml # rules/windows/lateral_movement_local_service_commands.toml # rules/windows/lateral_movement_mount_hidden_or_webdav_share_net.toml # rules/windows/lateral_movement_rdp_enabled_registry.toml # rules/windows/lateral_movement_rdp_tunnel_plink.toml # rules/windows/lateral_movement_remote_file_copy_hidden_share.toml # rules/windows/lateral_movement_suspicious_rdp_client_imageload.toml # rules/windows/lateral_movement_via_startup_folder_rdp_smb.toml # rules/windows/persistence_adobe_hijack_persistence.toml # rules/windows/persistence_appcertdlls_registry.toml # rules/windows/persistence_appinitdlls_registry.toml # rules/windows/persistence_evasion_registry_ifeo_injection.toml # rules/windows/persistence_gpo_schtask_service_creation.toml # rules/windows/persistence_local_scheduled_task_commands.toml # rules/windows/persistence_ms_office_addins_file.toml # rules/windows/persistence_ms_outlook_vba_template.toml # rules/windows/persistence_priv_escalation_via_accessibility_features.toml # rules/windows/persistence_registry_uncommon.toml # rules/windows/persistence_run_key_and_startup_broad.toml # rules/windows/persistence_services_registry.toml # rules/windows/persistence_startup_folder_file_written_by_suspicious_process.toml # rules/windows/persistence_startup_folder_scripts.toml # rules/windows/persistence_suspicious_com_hijack_registry.toml # rules/windows/persistence_suspicious_image_load_scheduled_task_ms_office.toml # rules/windows/persistence_suspicious_scheduled_task_runtime.toml # rules/windows/persistence_suspicious_service_created_registry.toml # rules/windows/persistence_system_shells_via_services.toml # rules/windows/persistence_user_account_creation.toml # rules/windows/persistence_via_application_shimming.toml # rules/windows/persistence_via_hidden_run_key_valuename.toml # rules/windows/persistence_via_lsa_security_support_provider_registry.toml # rules/windows/persistence_via_telemetrycontroller_scheduledtask_hijack.toml # rules/windows/persistence_via_update_orchestrator_service_hijack.toml # rules/windows/persistence_via_windows_management_instrumentation_event_subscription.toml # rules/windows/privilege_escalation_named_pipe_impersonation.toml # rules/windows/privilege_escalation_printspooler_service_suspicious_file.toml # rules/windows/privilege_escalation_printspooler_suspicious_spl_file.toml # rules/windows/privilege_escalation_rogue_windir_environment_var.toml # rules/windows/privilege_escalation_uac_bypass_com_clipup.toml # rules/windows/privilege_escalation_uac_bypass_com_ieinstal.toml # rules/windows/privilege_escalation_uac_bypass_com_interface_icmluautil.toml # rules/windows/privilege_escalation_uac_bypass_diskcleanup_hijack.toml # rules/windows/privilege_escalation_uac_bypass_dll_sideloading.toml # rules/windows/privilege_escalation_uac_bypass_event_viewer.toml # rules/windows/privilege_escalation_uac_bypass_mock_windir.toml # rules/windows/privilege_escalation_uac_bypass_winfw_mmc_hijack.toml # rules/windows/privilege_escalation_unusual_parentchild_relationship.toml # rules/windows/privilege_escalation_unusual_svchost_childproc_childless.toml	2021-02-17 12:18:06 -09:00
Justin Ibarra	61deed3fd2	[Rule Tuning] 7.11.2: Add timestamp_override to all query and non-sequence EQL rules (#948 ) * [Rule Tuning] Add timestamp_override field to 7.11.0 rules * Lock versions for 7.11.2 rules	2021-02-16 10:52:48 -09:00
Justin Ibarra	4e6ff388fc	[Rule Tuning] Feedback from 7.12 Kibana PR (#942 )	2021-02-11 13:32:58 -09:00
Brent Murphy	190b4ea67e	[Rule Tuning] User Added to Privileged Group in Active Directory (#941 ) * Update persistence_user_account_added_to_privileged_group_ad.toml * updated date	2021-02-10 16:41:49 -05:00
Simon	250bb4cc27	Add Rule to Detect User creation via Eventlog (#794 ) * Add Rule to Detect User creation via Eventlog * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * Update persistence_user_account_creation_event_logs.toml * update with fp info * Update persistence_user_account_creation_event_logs.toml * Update rules/windows/persistence_user_account_creation_event_logs.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 15:48:33 -05:00
Simon	f1788ec6de	[New Rule] User Added to Privileged Group in Active Directory (#827 ) * [New Rule] User Added to Privileged Group in Active Directory * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * add lookback * update description * lint and add reference Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 14:53:15 -05:00
Andrew Stucki	6e77f5176d	[New Rule] auditd login anomalies (#33 ) * Add auditd login anomaly rules * Flip logic to start with less-specific filters * remove event.category from queries and update metadata * surround event.action with quotes to account for dash * update tags Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-10 14:24:55 -05:00
Austin Songer	17032194d8	[Rule Tuning] Suspicious WerFault Child Process (#915 ) * Update defense_evasion_masquerading_suspicious_werfault_childproc.toml Added Article "How to Design Abnormal Child Processes Rules without Telemetry" * bump updated_date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-10 14:17:57 -05:00
Samirbous	2b7b1a6ab0	[Rule Tuning] Persistence via Update Orchestrator Service Hijack (#939 ) * [Rule Tuning] Persistence via Update Orchestrator Service Hijack * updated date and added execpath * Update rules/windows/persistence_via_update_orchestrator_service_hijack.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-10 20:11:45 +01:00
Nic	cbe1b66b87	[Rule Tuning] Exclude Windows Error Reporting & Printer Driver (#929 )	2021-02-10 08:53:04 -09:00
Samirbous	497ddcbb58	[New Rule] Suspicious Python Script Execution via the CommandLine (#852 ) * [New Rule] Suspicious Python Script Execution via the CommandLine * kql optimz * Update rules/cross-platform/execution_python_script_in_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/execution_python_script_in_cmdline.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * added subtechnique * Update rules/cross-platform/execution_python_script_in_cmdline.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * converted to eql * Update rules/cross-platform/execution_python_script_in_cmdline.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * relinted Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 18:37:03 +01:00
Samirbous	f13e9ce0d0	[New Rule] Shell Profile Modification (#878 ) * [New Rule] Shell Profile Modification * added auditbeat index * Update persistence_shell_profile_modification.toml * excluding noisy processes * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/cross-platform/persistence_shell_profile_modification.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * added note short desc * Update persistence_shell_profile_modification.toml * added FPs note Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 17:44:15 +01:00
Brent Murphy	9421ccfad7	[New Rule] Unusual File Creation - Alternate Data Stream (#902 ) * Create defense_evasion_unusual_ads_file_creation.toml * lint * spacing * add logs-windows.* * Apply suggestions from code review Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * lint Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 09:28:25 -05:00
Brent Murphy	f08312ec7f	[New Rule] Disabling User Account Control via Registry (#892 ) * Create privilege_escalation_disable_uac_registry.toml * Apply suggestions from code review Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint * spacing * add logs-windows.* * minor syntax change and final lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-10 09:11:45 -05:00
Brent Murphy	c5d6cbc2e4	[New Rule] Potential LSA Authentication Package Abuse (#903 ) * Create privilege_escalation_lsa_auth_package.toml * bump risk and sev * spacing * add logs-windows.* * Update rules/windows/privilege_escalation_lsa_auth_package.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * Update privilege_escalation_lsa_auth_package.toml * Update rules/windows/privilege_escalation_lsa_auth_package.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> * final lint Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 09:00:58 -05:00
Samirbous	142a26a010	[New Rule] Suspicious Adobe Acrobat Updates Service Child Process (#886 ) * [New Rule] Suspicious Adobe Acrobat Updates Service Child Process * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/macos/privilege_escalation_exploit_adobe_acrobat_updater.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 14:08:37 +01:00
Samirbous	58f0bf5998	[Rule Tuning] Attempt to Remove File Quarantine Attribute (#781 ) * [Rule Tuning] Attempt to Remove File Quarantine Attribute * Update defense_evasion_attempt_del_quarantine_attrib.toml * adjusted query coverage * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/defense_evasion_attempt_del_quarantine_attrib.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * date Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>	2021-02-10 10:45:50 +01:00
Samirbous	7fc5ba1646	[New Rule] Persistence via Cron Tasks (#867 ) * [New Rule] Persistence via Cron Tasks * Update persistence_cron_jobs_creation_and_runtime.toml * Update persistence_cron_jobs_creation_and_runtime.toml * excluded noisy procs and root user * moved to cross-platform * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * excluding root user * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * relinted * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/cross-platform/persistence_cron_jobs_creation_and_runtime.toml Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com> Co-authored-by: Andrew Pease <7442091+peasead@users.noreply.github.com> Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>	2021-02-10 10:28:22 +01:00
Samirbous	51498f6022	[New Rule] Attempt to Mount an SMB Share via Command-line (#914 ) * [New Rule] Attempt to Mount an SMB Share via Command-line * fixed tactic_id * 2021! * Update lateral_movement_mounting_smb_share.toml * Update rules/macos/lateral_movement_mounting_smb_share.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/lateral_movement_mounting_smb_share.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * Update rules/macos/lateral_movement_mounting_smb_share.toml Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> * lint rule Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com> Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>	2021-02-09 22:08:30 +01:00

1 2 3 4 5 ...

450 Commits